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Notice 

While reasonable efforts have been made to ensure that the 
information in this document is complete and accurate at the time of 
printing, Avaya assumes no liability for any errors. Avaya reserves the 
right to make changes and corrections to the information in this 
document without the obligation to notify any person or organization of 
such changes. 

Documentation disclaimer 

“Documentation" means information published by Avaya in varying 
mediums which may include product information, operating instructions 
and performance specifications that Avaya generally makes available 
to users of its products. Documentation does not include marketing 
materials. Avaya shall not be responsible for any modifications, 
additions, or deletions to the original published version of 
documentation unless such modifications, additions, or deletions were 
performed by Avaya. End User agrees to indemnify and hold harmless 
Avaya, Avaya's agents, servants and employees against all claims, 
lawsuits, demands and judgments arising out of, or in connection with, 
subsequent modifications, additions or deletions to this documentation, 
to the extent made by End User. 

Link disclaimer 

Avaya is not responsible for the contents or reliability of any linked Web 
sites referenced within this site or documentation provided by Avaya. 
Avaya is not responsible for the accuracy of any information, statement 
or content provided on these sites and does not necessarily endorse 
the products, services, or information described or offered within them. 
Avaya does not guarantee that these links will work all the time and has 
no control over the availability of the linked pages. 

Warranty 

Avaya provides a limited warranty on its Hardware and Software 
(“Product(s)”). Refer to your sales agreement to establish the terms of 
the limited warranty. In addition, Avaya’s standard warranty language, 
as well as information regarding support for this Product while under 
warranty is available to Avaya customers and other parties through the 
Avaya Support Web site: http://support.avava.com . Please note that if 
you acquired the Product(s) from an authorized Avaya reseller outside 
of the United States and Canada, the warranty is provided to you by 
said Avaya reseller and not by Avaya. 

Licenses 

THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA 
WEBSITE, http://SUPPORT.AVAYA.COM/LICENSEINFO/ ARE 
APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR 
INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., 
ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER 
(AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH 
AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS 
OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES 
NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED 
FROM ANYONE OTHER THAN AVAYA, AN AVAYAAFFILIATE OR AN 
AVAYA AUTHORIZED RESELLER; AVAYA RESERVES THE RIGHT 
TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE 
USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY 
INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR 
AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF 
YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, 
DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER 
REFERRED TO INTERCHANGEABLY AS “YOU” AND “END USER”), 
AGREE TO THESE TERMS AND CONDITIONS AND CREATE A 
BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE 
APPLICABLE AVAYAAFFILIATE (“AVAYA”). 

Avaya grants End User a license within the scope of the license types 
described below. The applicable number of licenses and units of 
capacity for which the license is granted will be one (1), unless a 


different number of licenses or units of capacity is specified in the 
Documentation or other materials available to End User. “Designated 
Processor” means a single stand-alone computing device. “Server” 
means a Designated Processor that hosts a software application to be 
accessed by multiple users. “Software” means the computer programs 
in object code, originally licensed by Avaya and ultimately utilized by 
End User, whether as stand-alone Products or pre-installed on 
Hardware. “Hardware” means the standard hardware originally sold by 
Avaya and ultimately utilized by End User. 

License type(s) 

Named User License (NU). End User may: (i) install and use the 
Software on a single Designated Processor or Server per authorized 
Named User (defined below); or (ii) install and use the Software on a 
Server so long as only authorized Named Users access and use the 
Software. “Named User”, means a user or device that has been 
expressly authorized by Avaya to access and use the Software. At 
Avaya's sole discretion, a “Named User” may be, without limitation, 
designated by name, corporate function (e.g., webmaster or helpdesk), 
an e-mail or voice mail account in the name of a person or corporate 
function, or a directory entry in the administrative database utilized by 
the Software that permits one user to interface with the Software. 

Shrinkwrap License (SR). Customer may install and use the Software 
in accordance with the terms and conditions of the applicable license 
agreements, such as “shrinkwrap” or “clickthrough” license 
accompanying or applicable to the Software (“Shrinkwrap License”), 
(see “Third-party Components” for more information). 

Copyright 

Except where expressly stated otherwise, no use should be made of 
materials on this site, the Documentation, Software, or Hardware 
provided by Avaya. All content on this site, the documentation and the 
Product provided by Avaya including the selection, arrangement and 
design of the content is owned either by Avaya or its licensors and is 
protected by copyright and other intellectual property laws including the 
sui generis rights relating to the protection of databases. You may not 
modify, copy, reproduce, republish, upload, post, transmit or distribute 
in any way any content, in whole or in part, including any code and 
software unless expressly authorized by Avaya. Unauthorized 
reproduction, transmission, dissemination, storage, and or use without 
the express written consent of Avaya can be a criminal, as well as a 
civil offense under the applicable law. 

Third-party components 

Certain software programs or portions thereof included in the Product 
may contain software distributed under third party agreements (“Third 
Party Components”), which may contain terms that expand or limit 
rights to use certain portions of the Product (“Third Party Terms”). 
Information regarding distributed Linux OS source code (for those 
Products that have distributed the Linux OS source code), and 
identifying the copyright holders of the Third Party Components and the 
Third Party Terms that apply to them is available on the Avaya Support 
Web site: http://support.avava.com/Copvright . 

The open source license text file, 

OpenSourceLicense . txt, is available in the Licenses 
folder on the Avaya one-X® Client Enablement Services server: / 

Licenses/OpenSourceLicense.txt. 

Preventing Toll Fraud 

“Toll fraud” is the unauthorized use of your telecommunications system 
by an unauthorized party (for example, a person who is not a corporate 
employee, agent, subcontractor, or is not working on your company's 
behalf). Be aware that there can be a risk of Toll Fraud associated with 
your system and that, if Toll Fraud occurs, it can result in substantial 
additional charges for your telecommunications services. 

Avaya Toll Fraud Intervention 

If you suspect that you are being victimized by Toll Fraud and you need 
technical assistance or support, call Technical Service Center Toll 
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Fraud Intervention Hotline at +1-800-643-2353 for the United States 
and Canada. For additional support telephone numbers, see the Avaya 
Support Web site: http://su p port.avava.com . Suspected security 
vulnerabilities with Avaya products should be reported to Avaya by 
sending mail to: securityalerts@avaya.com. 

Trademarks 

Avaya, the Avaya logo, Avaya one-X® Client Enablement Services, 
Communication Manager, Modular Messaging, and Conferencing are 
either registered trademarks or trademarks of Avaya Inc. in the United 
States of America and/or other jurisdictions. 

All non-Avaya trademarks are the property of their respective owners, 
and “Linux” is a registered trademark of Linus Torvalds. 

Downloading Documentation 

For the most current versions of Documentation, see the Avaya 
Support Web site: http://support.avava.com . 

Contact Avaya Support 

Avaya provides a telephone number for you to use to report problems 
or to ask questions about your Product. The support telephone number 
is 1-800-242-2121 in the United States. For additional support 
telephone numbers, see the Avaya Website: http://support.avava.com . 
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Chapter 1: Introduction 


Purpose of this document 

This guide provides information for implementing Avaya one-X® Client Enablement Services. 
Use this guide to: 

• Install the Client Enablement Services Release 6.1 SP1 template 

• Upgrade Client Enablement Services from Release 6.1 to Release 6.1 SP1 

• Install, configure, and upgrade the Handset Server 

• Install, configure, and upgrade the Transcoding Server 

• Troubleshoot issues that you encounter during the Client Enablement Services template 
installation 

Note: 

After you complete the template installation, you must setup Client Enablement Services. 
For more information, see Administering Avaya one-X® Client Enablement Services. 


Related documents 

Use the appropriate user documentation to obtain specific information to plan, install, 
administer, troubleshoot, and maintain your Client Enablement Services system. You can 
download these documents from the Avaya Support Web site at http://www.avava.com/ 
support . 

• Avaya one-X® Client Enablement Services Overview 

• Administering Avaya one-X® Client Enablement Services 

• Avaya one-X® Client Enablement Services Online Help for administrators 

• Avaya one-X® Communicator User Guide 

• Avaya one-X® Communicator Online Help for users 

• Avaya Online Help for centralized administration tool 

• Avaya one-X® Mobile Android User Guide 
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• Avaya one-X® Mobile Blackberry User Guide (touch screen model) 

• Avaya one-X ® Mobile Blackberry User Guide (non-touch screen model) 

• Avaya one-X ® Mobile iPhone User Guide 

Before you install or upgrade Avaya products, check the Avaya Support Web site for the latest 
information. 


Avaya one-X® Client Enablement Services 

Client Enablement Services is the first of a new series of next-generation applications that 
brings Unified Communications (UC) to your desktop and mobile handsets in a single tool. Use 
Client Enablement Services to access multiple Avaya UC capabilities, including Telephony, 
Messaging, Mobility, Conferencing, and Presence Services. With Client Enablement Services, 
you do not need multiple applications to access the features provided by Avaya 
Aura®Communication Manager, Avaya Aura® Presence Services, Avaya Modular Messaging / 
Avaya Aura® Messaging, and Avaya Aura® Conferencing. 

In Client Enablement Services, the UC clients of Avaya one-X® Communicator and Avaya one- 
X® Mobile work with a single server. The Client Enablement Services server delivers 
continuous subscriber data and provides a consistent user experience. Client Enablement 
Services supports a thick client and mobile interface to gain access to the functionality 
supported on the server. 

Avaya one-X® Communicator provides the softphone capability. Use Avaya one-X® 
Communicator to manage the communications tasks in your enterprise. Avaya one-X® 
Communicator provides a simple, intuitive access to your daily communications tools. 

The UC features of Avaya one-X® Communicator include visual voice mail to filter and sort 
voice messages. Use the visual voice mail feature to respond to important messages quickly. 
Communication History logs help you trace the history of your enterprise calls and voice 
messages. Use Avaya one-X® Communicator to increase the productivity of your enterprise 
with tools that enhance collaboration, improve responsiveness, and lower costs for IT and end- 
user support. 

Avaya one-X® Mobile provides seamless access to voice messaging and corporate directories 
while using a mobile device. Avaya one-X® Mobile equips your mobile phone with access to 
your office telephone system. Regardless of your work location, you can receive and make 
calls to and from your desk phone number, review voice mail messages, look up information 
in your enterprise directory, and even block calls. 


Deployment model 

The following figure shows the various components in the Client Enablement Services 
deployment and their interrelationship between the providers and the entities. 
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During installation, you can install Client Enablement Services with or without the Handset 
Server. The Handset Server facilitates the communication between the handsets and the 
Handset Services running in Client Enablement Services. Handset Services is a separate Java 
Application that you can install outside the Intranet, mostly in the DMZ. You can scale the 
Handset Server according to the number of Avaya one-X® Mobile users. 


Templates overview 

Avaya offers product-specific templates to install different products on System Platform. A 
template is a definition of a set of one or more applications that you can install on System 
Platform. Client Enablement Services provides the following templates: 

• onexps_tempiate_i6GB. ovf : If you are installing Client Enablement Services on a 
system that has 16 GB of RAM or more, you must use this template. 

• onexps_tempiate_2 4GB. ovf: If you are installing Client Enablement Services on a 
system that has 24 GB of RAM or more, you must use this template. 
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Note: 

All templates have the same functionality. Select a template depending on the RAM of the 

system. 

However, if you are using a Dell server with a minimum RAM of 24 GB, you must use the 

onexps_template_2 4GB. ovf template. 

You can install the Client Enablement Services template from one of the following locations. 

Use the option that works best in a specific customer scenario. 

• Avaya Downloads (PLDS): The template files are located in Avaya PLDS. The list 
contains all templates to which your enterprise is entitled. Each line in the list begins with 
the sold-to number so that you can select the appropriate template for the site where you 
are installing Client Enablement Services. Hold the mouse pointer over the selection to 
view more information about the sold-to number. The PLDS are available at http:// 
plds.avava.com . 

• HTTP: The template files are located on an http server. You can install the template files 
from the http server to several System Platform servers. You must enter the template URL 
information. 

• SP Server: The template files can be copied to the /vsp-tempiate file system in the 
Console Domain of the System Platform server. 

• SP CD/DVD: The template files are located in the DVD supplied with the system or the 
DVD created onsite. 

Note: 

If you plan to install the Client Enablement Services template files from a DVD, then 
you must use a Double-Layer DVD media so that the template files fit into a single 
DVD. 

• SP USB Disk: The template files are located in a USB flash drive connected to the server. 
The format of the USB flash drive must be ext3. 

Note: 

If you plan to install the Client Enablement Services template files from a USB, then 
you must ensure that the template files fit into a single USB. 


Deployment checklist 

Use the following checklist to install Client Enablement Services. As you complete a task, make 
a check mark in the column. 
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Deployment checklist 


✓ 

Task 

References 

Notes 


Download required 
documentation. 

See Related documents on 
page 9. 



Gather preinstallation 
data. 

See Preinstallation data 
qatherina on paqe 20. 



Verify that all 
equipments are on-site. 

See Chapter 2: Prerequisites. 

Do not rely on the 
packing slip for correct 
information. Instead, 
compare the inventory 
list of hardware and 
components that you 
ordered with the 
contents of the 
shipping boxes. If you 
find any discrepancy 
between the inventory 
list and the contents of 
the shipping boxes, 
immediately inform 
Avaya. 


Obtain one of the 
following servers, as 
appropriate: 

• Dell™ PowerEdge™ 
R610 Server 

• HP ProLiant DL360 

G7 Server 

See 

• Installing the Dell PowerEdge 
R610 Server 

• Installing the HP DL360 G7 
Server 



Obtain and install 
System Platform on the 
server. 

For more information, see 
Installing and Configuring 

Avaya Aura System Platform. 



Obtain the Client 
Enablement Services 
template. 

See Templates overview on 
page 11. 



Use the System 

Platform Web Console 
to install the Client 
Enablement Services 
template. 

See Installina a solution 
template on paqe 48. 



Set up Client 
Enablement Services. 

For more information, see 
Administering Avaya one-X s 
Client Enablement Services. 
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Chapter 2: Prerequisites 


Availability 

Note: 

Client Enablement Services is not customer installable. Only Avaya technicians or Avaya- 
certified business partners are authorized to perform the installation of Client Enablement 
Services. For more information, please contact Avaya Support. 

You can download the software-only solution of Client Enablement Services 6.1 SP1 and the 
Avaya-provided complete solution through the Avaya Product Licensing and Delivery System 
(PLDS). 

Software-only solution 

Avaya provides the following components: 

• Internal Client Enablement Services database 

• Client Enablement Services applications 

• Avaya Aura® System Platform 

• Avaya WebLM 

• Secure Access Link Agent 

• Secure Access Link Gateway 
Avaya-provided complete solution 
Avaya provides the following components: 

• Dell R610 and HP DL360G7 servers 

• Internal Client Enablement Services database 

• Client Enablement Services applications 

• Avaya Aura® System Platform 

• Avaya WebLM 

• Secure Access Link Agent 

• Secure Access Link Gateway 

• Handset Server 

• IHS 
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Avaya components 

Note: 

The versions of Avaya and third-party products mentioned in this guide are likely to change 
as Avaya tests and certifies later versions of supported products. To know about the latest 
versions of products that Client Enablement Services Release 6.1 SP1 supports, refer to 
the Avaya Support Web site, http://www.avava.com/support . 

Client Enablement Services supports the following Avaya components. 

Note: 

Avaya plans to support Aura 6.2. 


Avaya Components 

Software / Hardware 

Version 

PBX 

Communication Manager 

5.2.1 SP11 

6.0 

Note: 

Client Enablement 
Services does not support 
Communication Manager 
6.0 FS implementation. 

6.0.1 SP6 

Session Manager 

Session Manager 

6.0 

6.1 SP4 

System Manager 

System Manager 

6.1 SP4 

System Platform 

System Platform 

6.0 Build 6.0.3.0.3 with Patch 
6.0.3.3.3 or 6.0.3.4.3 

Presence 

Presence Services 

6.1 

Messaging 

Avaya Modular Messaging 

5.2 SP6 

Avaya Aura® Messaging 

6.0 

6.0.1 

6.1 

Conferencing 

Avaya Aura Conferencing 
Standard Edition 

In Release 5.2, Avaya Aura 
Conferencing Standard 
Edition was named as Avaya 
Meeting Exchange™ 
Enterprise Edition. 

5.2 

6.1 
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Availability 


Avaya Components 

Software / Hardware 

Version 

SIP Hard Phones 

Avaya SIP 2.6 

9620 

9620C 

9620L 

9630 

9630G 

9640 

9640G 

9650 

9650C 

Avaya SIP 6.0 

96x1 [9601,9608, 9611G, 
9621G, and 9641G] 

H.323 Hard Phones 

Avaya H.323 

9620C 

9620L 

9630 

9630G 

9640 

9640G 

9650 

9650C 

96x1 [9601,9608, 9611G, 
9621G, and 9641G] 

Avaya Soft Clients 

Avaya one-X® 

Communicator 

6.1 SP3 


Third-party components 


Note: 

The versions of Avaya and third-party products mentioned in this guide are likely to change 
as Avaya tests and certifies later versions of supported products. To know about the latest 
versions of products that Client Enablement Services Release 6.1 SP1 supports, refer to 
the Avaya Support Web site, http://www.avava.com/support . 

Client Enablement Services supports the following third-party components. 
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Prerequisites 


Third-party Components 

Software / Hardware 

Version 

Server OS 

Linux 

RHEL (part of the Client 
Enablement Services 
template) 

Handet Server OS 

Linux 

RHEL 5.0 

Administration Browser 

Microsoft Internet Explorer 

7.0 

8.0 

Mozilla Firefox 

3.6 

Apple Safari 

5.x 

LDAP 

Microsoft Active Directory 

2003 R2 

2008 R2 

IBM Domino Server 

8.5.1 

Novell eDirectory 

8.8 SP5 

SUN Directory Server 
Enterprise Edition 

6.3.1 

7.0 

Mobile Device Platforms 

iPhone (Apple) 

4.3+ and 5.0 

BlackBerry (RIM) 

5.0+, 6.0+, and 7.0 

Android 

2.2+ 

Handsets 

iPhone (Apple) 

3G, 3GS, and 4 

BlackBerry (RIM) 

Bold - 9000, 9650, and 9700 

Curve - 8520, 8530, 8900, 
and 9300 

Torch 9800 

Storm 9550 

Android 

Motorola - Droid 2 

HTC - Evo 4G 

LG - Revolution 

Samsung - Galaxy S and 
Galaxy S2 

Dell - Streak 5 and Venue 
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Preinstallation checklist 


Preinstallation checklist 

Use the following checklist to ensure that the prerequisites for installing Client Enablement 

Services are complete. As you ensure that a task is complete, make a check mark in the 
column. 


✓ 

Task 

References 

Notes 


Gather preinstallation 
data 

See Preinstallation data 
qatherina on paqe 20 



Check for 

environmental 

requirements 

See Safety instructions on 
page 20 


See Clearance requirements on 
page 22 



Check for hardware 
requirements 

See Hardware requirements on 
page 22 


See Avava-provided 
eouiDment on Daoe 23 


See Customer-Drovided 
equipment on paqe 24 



Check for software 
requirements 

See Software requirements on 
page 24 


See Software requirements for 
features on paqe 25 



Check for network 
requirements 

See Time synchronization 
requirements on paqe 28 


See Network firewall quidelines 



Check for licensing 
requirements 

See Licensinq requirements on 
page 28 


See Location of the Avava Web 
License Manaqer on paqe 29 


See Product software and 
licenses on pace 29 


See Host ID on pace 29 



Check for security 
requirements 

See Security requirements on 
page 31 
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Prerequisites 


✓ 

Task 

References 

Notes 



See Additional securitv 
information on paqe 31 



Configure Enterprise 
Directory 

See Enterprise Directory 
intearation auidelines on 
page 31 



Generate SMGR 
Enrollment Password 

Generatina the SMGR 

Enrollment Password on 
page 38 



Preinstallation data gathering 

You must fill data in several fields while installing and configuring Client Enablement Services. 
If you have the information required for these fields ahead of time, your installation will be faster 
and accurate. 

Before you install Client Enablement Services: 

• Distribute the appropriate checklists to your network administrator. 

• Verify that your network infrastructure fulfills the hardware and software infrastructure 
prerequisites. 

To ensure that you gather all the required data before the installation, fill out the installation 
worksheet for installing Client Enablement Services. See lnstallation worksheet: information 
required by template installation on page 39. 


Environmental requirements 


Safety instructions 

Use the following safety guidelines to ensure your own personal safety and to help protect your 
system and working environment from potential damage. 

Observe the following precautions for rack stability and safety. Also refer to the rack installation 
documentation accompanying the rack for specific caution statements and procedures. 

Systems are considered to be components in a rack. Thus, component refers to any system 
as well as to various peripherals or supporting hardware. 
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Environmental requirements 


Danger: 

• Before installing systems in a rack, install front and side stabilizers on stand-alone racks 
or the front stabilizer on racks that are joined to other racks. Failure to install stabilizers 
before installing systems in a rack could cause the rack to tip over, potentially resulting 
in bodily injury. 

• After installing components in a rack, never pull more than one component out of the 
rack on its slide assemblies at one time. The weight of more than one extended 
component could cause the rack to tip over and may result in serious injury. 

• Use caution when pressing the component rail release latches and sliding a component 
into or out of a rack because the slide rails can pinch your fingers. 


Note: 

• Your system is safety-certified as a free-standing unit and as a component for use in a 
rack cabinet using the customer rack kit. It is your responsibility to ensure that the final 
combination of system and rack complies with all applicable safety standards and local 
electric code requirements. 

• System rack kits are intended to be installed in a rack by trained service technicians. 

O Important: 

• Always load the rack from the bottom up, and load the heaviest item in the rack first. 

• Make sure that the rack is level and stable before extending a component from the 
rack. 

• Do not overload the AC supply branch circuit that provides power to the rack. The total 
rack load should not exceed 80 percent of the branch circuit rating. 

• Ensure that proper airflow is provided to components in the rack: 

- Do not block any air vents. Usually 15 cm (6 in.) of space provides proper 
airflow. 

- Install the server only in a rack cabinet with perforated doors. 

- Do not leave open spaces above or below an installed server in your rack cabinet. 
To help prevent damage to server components, always install a blank filler panel 
to cover the open space and to help ensure proper air circulation. 

• Do not step on or stand on any component when servicing other components in a 
rack. 

• Do not place any object on top of rack-mounted components. 
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Clearance requirements 

Install the server in a rack that meets the following requirements: 

• Minimum depth of 70 mm (2.76 inches) between the front mounting flange and inside of 
the front door if the server is installed in a cabinet. 

• Minimum depth of 157 mm (6.18 inches) between the rear mounting flange and inside of 
the rear door if the server is installed in a cabinet. 

• Minimum depth of 718 mm (28.27 inches) and maximum depth of 762 mm (30 inches) 
between the front and rear mounting flanges to support the use of the cable-management 
arm. 


Hardware requirements 


This section covers the minimum hardware requirements for the Client Enablement Services 
server. If you expect Client Enablement Services to handle a high volume of traffic, you must 
provide hardware with more memory and a faster processor. Contact your Avaya 
representative or Avaya Business Partner representative for assistance with sizing a Client 
Enablement Services system. 

The Client Enablement Services server must meet the following minimum hardware 
specifications: 

CPU Dual quad-core processors (2.4 GHz or higher) 

Memory 24 GB of RAM 

Hard drive 4 * 146 GB (RAID 5) 


Network card 1 00 Mbps / 1 Gbps 


Optical drive DVD/CD combination drive (Optional) 


Client Enablement Services currently supports the Dell R610, HP DL360G7, and S8800 
servers. 

You must deploy Client Enablement Services on an Avaya provided common hardware 
platform to ensure optimal performance and hardware continuity for future software releases. 
Client Enablement Services supports older S8800 platforms provided you upgrade the S8800 
server to meet the minimum specification outlined in the following table: 
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Hardware requirements 


Hardware 

requirements 

Dell R610 

HP DL360G7 

S8800 (Upgrade 
required) 

CPU 

Dual quad-core 
processors of 2.4 

Ghz. 

Dual quad-core 
processors of 2.4 
Ghz. 

2 * 2.2 Ghz or 
higher. 

Single processor 
models are not 
supported. 

Memory 

24 GB. 

24 GB. 

16 GB. 

Requires 10 GB 
upgrade from the 6 
GB default factory 
configuration. 

Hard Drive 

4* 146 GB RAID 5. 

3 * 300 GB RAID 5. 

4* 146 GB. 

Requires 2 * 146 GB 
upgrade from the 2 * 
146 GB default 
factory configuration. 

Network Card 

100 Mbps / IGbps. 

100 Mbps / IGbps. 

100 Mbps / IGbps. 

Optical Drive 

DVD/CD 

combination drive is 
optional. 

DVD/CD 

combination drive is 
optional. 

DVD/CD 

combination drive is 
optional. 


Note: 

The versions of Avaya and third-party products mentioned in this guide are likely to change 
as Avaya tests and certifies later versions of supported products. To know about the latest 
versions of products that Client Enablement Services Release 6.1 SP1 supports, refer to 
the Avaya Support Web site, http://www.avava.com/support . 


Avaya-provided equipment 

Avaya provides the following equipment: 

• Server and power cord 

• Slide rails 

• Cable management arm assembly 

• Cable management arm stop bracket 

• Cable management arm mounting bracket 

• Cable management support arm 

• Two 10-32 screws 

• Four M6 screws 

• Five small cable ties 
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• One large cable tie 

• Other hardware as ordered, such as uninterruptible power source (UPS). 


Customer-provided equipment 

The customer must provide the following equipment: 

• Standard 19-inch four-post equipment rack that is properly installed and solidly secured. 
The rack must meet the following standards: 

-American National Standards Institute and Electronic Industries Association 
standard ANSI/EIA-310-D-92. 

- International Electrotechnical Commission standard IEC 297 

- Deutsche Industrie Norm standard DIN 41494 

• Screws that come with the racks for installing the rails 

• #2 cross-point (Phillips) screwdriver or 3/8 inch flathead screwdriver 

• USB keyboard, USB mouse, and monitor must be available on the site for advanced 
installation or troubleshooting. 

• Power from a nonswitched electrical outlet 

• Access to the network 


Software requirements 

Install the following software before installing Client Enablement Services: 

Note: 

The versions of Avaya and third-party products mentioned in this guide are likely to change 
as Avaya tests and certifies later versions of supported products. To know about the latest 
versions of products that Client Enablement Services Release 6.1 SP1 supports, refer to 
the Avaya Support Web site, http://www.avava.com/support . 

• Avaya Aura System Platform 6.0 Build 6.0.3.0.3 with Patch 6.0.3.3.3. For more 
information, see Installing and Configuring Avaya Aura System Platform guide. 

Note: 

You must install System Platform on the hardware on which Client Enablement 
Services is to be installed. 

• Avaya Aura System Manager 6.1 (Optional). For more information, see Installing and 
Upgrading Avaya Aura System Manager 6.1 guide. 
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Software requirements 


Note: 

You must install System Manager only if you are using Presence Services. 

• Avaya Aura Presence Services 6.1 (Optional). For more information, see Implementing 
Avaya Aura Presence Services 6.1 guide. 

Note: 

If you are using Presence Services, then you must install Session Manager and System 
Manager. 

You can gain access to all these documents and the interoperability matrix from the Avaya 
Support Web site at http://support.avava.com . 


Software requirements for features 

Client Enablement Services provides multiple features. Depending on the requirement, you 
can choose all the features or any combination. Certain features require additional or specific 
software to function properly. 

For Client Enablement Services to function properly, you must: 

• Implement Client Enablement Services with Modular Messaging 5.2 or Avaya Aura® 
Messaging 6.x. 

For Modular Messaging 5.2, Session Manager and System Manager are not required. 

• Assign all users a voice mail resource, as voice mail is mandatory in Client Enablement 
Services. 

• Install Session Manager 6.1 if you use System Manager 6.1. 

The following tables list the software that you must install for each feature. To use the feature 
listed in the Feature column, you must install the corresponding software indicated by a Yes 
in the software column. 

Avaya one-X® Mobile: 


Feature 

Communicatio 
n Manager 

Presence 

Services 

System 

Manager 

Session 

Manager 

Telephony 

Access 

Element. 

Yes (5.2.1) 

No 

Optional (6.1 
and later) 

Optional (6.0 
and later) 

Evolution 

Server. 

Yes (6.0 and 
later) 

No 

Optional (6.1 
and later) 

Optional (6.0 
and later) 
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Feature 

Communicatio 
n Manager 

Presence 

Services 

System 

Manager 

Session 

Manager 


Feature Server. 
Yes (5.2.1 and 
later)* 

No 

Yes (6.1 and 
later) 

Yes (6.0 and 
later) 

Presence 

Yes (5.2.1 and 
later) 

Yes (6.1 and 
later) 

Yes (6.1 and 
later) 

Yes (6.0 and 
later) 

Messaging 

Yes (5.2.1 and 
later) 

No 

Yes (6.1 and 
later) 

Yes (6.0 and 
later) 


Note: 

*Client Enablement Services does not support Communication Manager 6.0 Feature Server 
implementation. 

Avaya one-X® Communicator - H.323: 


Feature 

Communicat 
ion Manager 

Presence 

Services 

System 

Manager 

Session 

Manager 

Conferencin 

g 

Telephony 
(Non - Aura 
implementati 
on) 

Yes (5.2.1 
and later) 

No 

Optional (6.1 
and later) 

Optional (6.0 
and later) 

No 

Telephony 

Access 

Element. 

Yes (5.2.1) 

No 

Yes (6.1 and 
later) 

Yes (6.0 and 
later) 

No 

Evolution 

Server. 

Yes (6.0 and 
later) 

No 

Yes (6.1 and 
later) 

Yes (6.0 and 
later) 

No 

Feature 

Server. 

Yes (5.2.1 
and later)* 

No 

Yes (6.1 and 
later) 

Yes (6.0 and 
later) 

No 

Presence 

Yes (5.2.1 
and later) 

Yes (6.1 and 
later) 

Yes (6.1 and 
later) 

Yes (6.0 and 
later) 

No 

Conferencin 

g 

Yes (5.2.1 
and later) 

No 

No 

No 

Yes (5.2.1 
and later) 

Messaging 

Yes (5.2.1 
and later) 

No 

Yes (6.1 and 
later) 

Yes (6.0 and 
later) 

No 


Note: 

*Client Enablement Services does not support Communication Manager 6.0 Feature Server 
implementation. 
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Software requirements 


Avaya one-X® Communicator - SIP: 


Feature 

Communicat 
ion Manager 

Presence 

Services 

System 

Manager 

Session 

Manager 

Conferencin 

g 

Telephony 

Access 

Element. 

Yes (5.2.1) 

No 

Yes (6.1 and 
later) 

Yes (6.0 and 
later) 

No 

Evolution 

Server. 

Yes (6.0 and 
later) 

No 

Yes (6.1 and 
later) 

Yes (6.0 and 
later) 

No 

Feature 

Server. 

Yes (5.2.1 
and later)* 

No 

Yes (6.1 and 
later) 

Yes (6.0 and 
later) 

No 

Presence 

Yes (5.2.1 
and later) 

Yes (6.1 and 
later) 

Yes (6.1 and 
later) 

Yes (6.0 and 
later) 

No 

Conferencin 

g 

Yes (5.2.1 
and later) 

No 

Yes (6.1 and 
later) 

Yes (6.0 and 
later) 

Yes (5.2.1 
and later) 

Messaging 

Yes (5.2.1 
and later) 

No 

Yes (6.1 and 
later) 

Yes (6.0 and 
later) 

No 


Note: 

*Client Enablement Services does not support Communication Manager 6.0 Feature Server 
implementation. 


Supported versions of third-party software 

Avaya supports use of the documented software versions with the current release of this 
product. These software versions are the minimum versions that Avaya requires. 

This release does not support operating systems, databases, Web servers, switches, or other 
software platforms that are not documented here, unless stated otherwise in a Product Support 
Notice. 

Avaya will support subsequent updates and service packs that provide corrections for a bug, 
defect, or problem for the documented software versions. The support depends on the 
following: 

• The manufacturer must guarantee that the updates and service packs are backwards 
compatible with the supported. 

• The updates and service packs do not include changes to the core functionality or new 
features. 
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Prerequisites 


Network requirements 


Time synchronization requirements 

Time synchronization ensures that time stamps for all integrated systems are consistent. 

Note: 

If the time stamps are not synchronized, the secure SSL connections between the servers 
fail. 

All servers that host integrated systems, such as Communication Manager, Modular 
Messaging, System Manager, and Presence Services require NTP software for time 
synchronization. 


Licensing requirements 

Before you install Client Enablement Services, you must obtain the UC All Inclusive total bundle 
license, which includes licenses for Client Enablement Services and all integrated 
components. 

UC All Inclusive total bundle licenses 

You must obtain an end-user license from Avaya to provision users for Client Enablement 
Services. Unprovisioned users cannot gain access to Client Enablement Services. 

This license file covers all Client Enablement Services users. An end-user license is consumed 
when a user is configured and activated for use. 

The UC All Inclusive total bundle license has the license files for all Avaya components that 
you want to integrate with Client Enablement Services. For detailed information about the 
license requirements for these products, see the product documentation or consult your Avaya 
representative or Avaya Business Partner representative. 

Depending on your system, the license requirements for integrated Avaya components must 
include the following: 

Communication Manager Extension to Cellular (PBFMC and EC500), Avaya one-X® 

Communicator, and CTI Adjunct Links enabled. 

Modular Messaging / Message store platform, number of mailboxes, and maximum 
Avaya Aura® Messaging number of concurrent text to speech (TTS) sessions. 
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Licensing requirements 


Conferencing As required by your conference bridge version. 

The type of license consumed from Communication Manager depends on the system usage. 
The following licenses are present: 

• Avaya one-X® Communicator license: One Avaya one-X® Communicator license is used 
for each user logging in using the VoIP (This Computer) mode. 

• Public Fixed Mobile Convergence (PBFMC) license 


Location of the Avaya Web License Manager 

You can install the Avaya Web License Manager (WebLM) in the following locations: 

• Local WebLM: If WebLM of System Platform is used, use the Client Enablement Services 
pre-install plug-in page to select this option. 

• Remote System Manager (SMGR) WebLM: If WebLM of remote System Manager is used, 
use the Client Enablement Services pre-install plug-in page to select this option. 

You must install licenses for most Avaya products in a single location. You must use the WebLM 
of System Manager for Client Enablement Services. 

Use the local WebLM server only if System Manager WebLM is not present. 


Product software and licenses 

PLDS provides customers, Avaya Partners, distributors, and Avaya Associates with easy-to- 
use tools for managing asset entitlements and electronic delivery of software and related 
licenses. Using PLDS, you can perform activities such as license activation, license de¬ 
activation, license re-host, and software downloads. 

Note: 

To obtain a license from the PLDS Web site, you must have the Host ID of the computer. 

For more information on downloading product software and obtaining licenses, see Getting 
Started with Avaya PLDS on the Avaya Support site. 


Host ID 

You must provide a host ID of the computer that hosts license components for Client 
Enablement Services. The primary host ID is a software generated MAC address. The MAC 
address changes every time you reboot System Platform. Use the host ID to obtain a license 
from the PLDS Web site. 
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Obtaining a host ID from a WebLM server co-resident on your Client 
Enablement Services server 

If the WebLM server is co-resident on your Client Enablement Services server, follow this 
procedure. 

Procedure 

1. Log in to the cdom Web admin console using admin/adminoi. 

The cdom (Console Domain) IP address is the IP address that you configured in 
the Static IP field of the VSP Console Domain Network Configuration screen, during 
the installation of System Platform. 

2. In the left pane, click Server Management > License Management. 

3. Click Launch WebLM License Manager. 

4. Log on to the WebLM server using your log-on credentials. 

5. On the home page of the WebLM server, in the left pane, click the Server 
Properties link. 

6. Note the Primary Host ID. 

For more information on installing and configuring an Avaya WebLM server, see 
Installing and Configuring Avaya WebLM server on the Avaya Support site. 

Note: 

You can obtain the LOCAL (cdom) WebLM URL from the Administration Web 
site. 


Obtaining a host ID from a System Manager's WebLM server 

Procedure 

1. Log in to the System Manager's Web admin console as admin/adminoi. 

2. Click Services > Licenses. 

3. Select Server Properties and note the Primary Host ID. 
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Security requirements 


Security requirements 


Security requirements 

Before implementing Client Enablement Services, ensure that the customer security staff 
reviews and approves the Client Enablement Services deployment. This means that customers 
must engage the expertise of their security staff early in the implementation process. The 
security staff must consider how they will incorporate Client Enablement Services into their 
routine maintenance of virus protection, patches, and service packs. 


Additional security information 

Additional security information for all Avaya products, including Client Enablement Services, 
and Avaya components that integrate with Client Enablement Services, is available at the 
Avava Security Advisories Web site . For example, you can find information about the following: 

• Avaya Product Security Vulnerability Response Policy 

• Avaya Security Vulnerability Classification 

• Security advisories for Avaya products 

• Software patches for security issues 

• Reporting a security vulnerability 

• Automatic e-mail notifications of security advisories 

You can also find additional information about security practices at the National Security 
Agency Security Configuration Guides Web site . 


Configuring Enterprise Directory for Avaya one-X® Client 
Enablement Services 


Enterprise Directory integration guidelines 

Client Enablement Services integrates with the following enterprise directory servers for user 
records, authentication, and authorization. Client Enablement Services also uses the 
enterprise directory to search contact information, that is, like an address book. You can 
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integrate with an existing enterprise directory server, or you can use a dedicated enterprise 
directory server for Client Enablement Services. 

• Microsoft Active Directory 

• IBM Domino Server 

• Novell eDirectory 

• SUN Directory Server Enterprise Edition 


Note: 

Client Enablement Services does not support enterprise data split between two or more 
enterprise directories. For example, you cannot create the User Domain on an Active 
Directory server and the Contact Domain on a Domino server. Also, Client Enablement 
Services supports only one enterprise directory attribute mapping. Therefore, the list of 
attributes must be the same for any enterprise directory you administer. 

Limitations on support for Active Directory domains 

Each Client Enablement Services deployment can authenticate and authorize users from only 
one Active Directory domain. Depending upon the enterprise Active Directory policy, security 
groups for Client Enablement Services users can reside in the same domain as the users or 
in a different domain. The domain that provides the users is the user domain. The domain that 
provides the security groups is the resource domain. 

You can configure each deployment to access information about users in up to four additional 
Active Directory domains. Flowever, Client Enablement Services considers the users in the 
additional domains to be contacts only and does not obtain anything other than the address 
book data from them. You cannot provision users from the additional domains, and those users 
cannot log in to the Client Enablement Services deployment. 

If you want to provide the services of Client Enablement Services to users in more than one 
Active Directory domain, you must implement at least one Client Enablement Services 
deployment for each domain. 

Limitations on support for other Enterprise Directory domains 

Only the LDAP server in the LDAP Domain on Client Enablement Services supports identity 
resolution on other supported enterprise directories. 

Supported Active Directory domain topologies 


Domain topology 

Description 

Combined domain 

Users and security groups are in the same Active Directory 
domain. 

For this topology, configure Client Enablement Services with the 
same domain for the user and the resource. 

Split domain in same 
forest 

Users and security groups are in separate Active Directory 
domains. These domains are in the same forest. 

For this topology, the template installation presents you with 
Enterprise Directory configuration screens for the User and 
Group domains. 
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Domain topology 

Description 

Split domain in different 
forest 

Uses two Active Directory domains that are in different 
forests. 

For this topology, the template installation presents you with 
Enterprise Directory configuration screens for the User and 
Group domains. 

To ensure the required access, this topology requires a different 
service account and password for each forest when you install 
Client Enablement Services. 


Required security groups 

Before you install Client Enablement Services, you must create the following Enterprise 
Directory security groups: 

• Client Enablement Services administrators 

• Client Enablement Services users 

• Client Enablement Services auditors 

These security groups belong in the same resource domain where the enterprise maintains 
other security groups for Client Enablement Services users. 

Client users must be a member of the Client Enablement Services users group. Administrators 
must be a member of the Administrative users group. Users who have both roles must be 
members of both groups. 

If you plan to deploy more than one Client Enablement Services server in an environment, you 
must create a unique set of security groups for each Client Enablement Services server in the 
system, even if both deployments use the same Enterprise Directory domain. You can 
configure two Client Enablement Services deployments to use the same security groups. 
However, you cannot change the security groups assigned to a deployment without reinstalling 
Client Enablement Services. 

Naming conventions for security groups 

You must follow existing corporate standards when you create security groups for Client 
Enablement Services. Each security group name must do the following: 

• Be unique in the Active Directory domain. 

• Identify the group as related to Client Enablement Services 

• Identify the Client Enablement Services deployment 

• Identify the purpose of the security group. 


Note: 

Do not use default security group names, such as Domain Users, for Client Enablement 
Services. These default groups do not function correctly with LDAP. For more information, 
see Microsoft Knowledge Base article number 275523. 
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For example, use the following naming conventions for security groups: 

• <deployment_name> Client Enablement Services Users 

• <deptoyment_name> Client Enablement Services Administrators 

• <deployment_name> Client Enablement Services Auditors 

Using this naming convention, you can identify the Client Enablement Services deployment 
associated with the security groups. Even if the system only includes one Client Enablement 
Services deployment, this naming convention ensures that the Active Directory integration can 
be expanded to include additional Client Enablement Services deployments. 


Determining the Active Directory domain topology 

About this task 

After you install Client Enablement Services, you cannot change the Active Directory domain 
unless you reinstall Client Enablement Services. Hence, you must ascertain the domain 
topology that the Enterprise Active Directory uses. 

Procedure 

1. Determine which of the following domain topologies the Enterprise Active Directory 
uses: 

• Combined domain 

• Split domain in same forest 

• Split domain in different forests 

2. Identify the user domain that includes the users who access Client Enablement 
Services. 

3. Identify the resource domain that defines the Client Enablement Services security 
groups. 

4. If the user domain and resource domain are different, determine whether they are 
in the same forest. 


Related topics: 

Enterprise Directory integration guidelines on page 31 
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Configuring Enterprise Directory security groups 

Note: 

Do not use default security group names, such as Domain Users, for Client Enablement 
Services. These default groups do not function correctly with LDAP. For more information, 
see Microsoft Knowledge Base article number 275523. 

Note: 

Do not change the Enterprise Directory security groups on the LDAP server once the 
installation is complete, as otherwise Client Enablement Services will not function 
properly. 

Procedure 

1. In the resource domain, create Enterprise Directory security groups for the following 
groups of users in each Client Enablement Services deployment: 

• Administrative users who need access to the Administration application: 
Include the deployment in the group name, for example, Chicago Client 
Enablement Services Administrators. 

• Users who need access to Client Enablement Services: Include the 
deployment in the group name, for example, Chicago Client Enablement 
Services Users. 

• Auditors who need read-only access to the Administration application: Include 
the deployment in the group name, for example, Chicago Client Enablement 
Services Auditors. 

2. For the Active Directory only, make sure that the configuration of each security 
group includes the following values: 

• The pre-Windows 2000 name has the same value as the group name. 

• The group type is Security. 

• For a split domain topology only, the group scope is Domain Local. 


Related topics: 

Enterprise Directory integration guidelines on page 31 
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Verifying Enterprise Directory user configuration 

About this task 

Client Enablement Services accesses the user accounts in the Enterprise Directory for 
authentication and authorization. If Client Enablement Services can access an existing 
Enterprise Directory server, you do not need to create new user accounts. 

Users can log in with their corporate log-in IDs and passwords. To ensure that enterprise users 
can access Client Enablement Services, verify that each user account meets the required 
criteria. 

Client users must be a member of the Client Enablement Services users group. Administrators 
must be a member of the Administrative users group. Users who have both roles must be 
members of both groups. 

Procedure 

For each Client Enablement Services user in the user domain, verify the following with 
regard to the Enterprise Directory user records. 

• The domain that hosts Client Enablement Services has the Enterprise Directory 
user records. 

• At least one Client Enablement Services security group is assigned the records 
to provide the user with the required administrative, user, or auditor privileges. 

• The records have a pre-Windows 2000 log-on name that is identical to the Client 
Enablement Services log-on name. 

• The records include a user password and the desired password options. 


Creating the Avaya one-X® Client Enablement Services 
administrative service account 

About this task 

For Client Enablement Services create at least one administrative service account in the user 
domain of the Enterprise Directory. This administrative service account must be a member of 
the Client Enablement Services Administrators users group. 

Client Enablement Services uses this service account to start and stop the Client Enablement 
Services server and perform other administrative functions. 

If the Enterprise Directory uses a split domain topology with the user domain and resource 
domain in different forests, Client Enablement Services also requires a secondary service 
account in the resource domain. 
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For SUN Directory Server Enterprise Edition, the service account must be able to see the root 
of the directory. 

Note: 

Do not change the service account login and password on the LDAP server once the 
installation is complete, as otherwise Client Enablement Services will not function 
properly. 

Procedure 

1. In the user domain, create a primary service account that meets the following 
criteria: 

• Password meets the requirements of IBM WebSphere. For example, the 
password cannot contain a space or special characters such as $, #, {,", and 
-. The password must start with a number or letter, and must not start with an 
underscore or other symbol. For more information, see the IBM WebSphere 
online documentation. 

• Password does not expire. Select the Password never expires check box. 

• Is a member of the Client Enablement Services administrator's security 
group. 

2. The primary service account must be able to: 

• Get the Distinguish Name (DN) of the user based on the user’s handle, so the 
system can validate the password of the user. 

• See the members of the security groups. 

• Read any information that Client Enablement Services wants to export, such 
as user phone numbers. 

3. For Active Directory only, create a secondary service account in the resource 
domain that meets the same criteria specified in steps 1 and 2. This is only for a 
split domain topology with the user domain and resource domain in different 
forests. 

Note: 

To configure Client Enablement Services Enterprise Directories over SSL, refer 
to the Appendices in this document. 

You can map Enterprise Directory attributes to the attributes used in Client 
Enablement Services using the System tab in Administration Web Client. 
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Generating the SMGR Enrollment Password 

If you want to integrate Presence Services with Client Enablement Services, then the order of 
installation is System Manager-> Presence Services-> Client Enablement Services. 

Use this functionality to generate the simple certificate enrollment password (SCEP). The 
Client Enablement Services system requires the SCEP password to request certificates from 
Trust Management. 

Procedure 

1. Log in to the System Manager Web console. 

2. On the System Manager console, under Services, click Security. 

3. Click Certificates > Enrollment Password. 

4. On the Enrollment Password page, select the expiration of password in hours in the 

Password expires in field. 

5. Click Generate. 

The password field displays the generated password. 

6. Click Commit. 

Note: 

When you click Commit, the system updates the time displayed next to the Time 
remaining label with the value selected in the Password expires in field. 
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Installing 


Installation worksheet: information required by template 
installation 

This worksheet lists the information that you need to install Client Enablement Services. The 
information and properties follow the same organization as the template installation. 

Installation configuration information 

The values in the Example value column are only for guiding you on the format to use. For 
security purposes, use unique values when you configure Client Enablement Services. 


Property Name 

Property values 

Notes 

Example value 

Your value 

Network Settings configuration 

One-X CES IP 

## 


IP address of the Client 
Enablement Services system. 

One-X CES FQDN 

Ixces.domain 
.xyzcorp.com 


Fully qualified domain name of 
the Client Enablement Services 
system. 

NTP Server Details 

NTP Serverl 



IP address or FQDN of the 
computer that hosts the NTP 
Server 1. This field is mandatory. 

NTP Server2 



IP address or FQDN of the 
computer that hosts the NTP 
Server 2. 

NTP Server3 



IP address or FQDN of the 
computer that hosts the NTP 
Server 3. 

LDAP information 

LDAP Type: Active 
Directory (Split 
Domain) 



If the Enterprise Directory has 
users defined in one domain and 
security groups defined in 
another domain, configure the 
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Property Name 

Property values 

Notes 

Example value 

Your value 




user domain in the first section 
and the resource domain for 
security group in the second 
section. 

User LDAP Host 

###.###.###.# 

## 


IP address of the computer that 
hosts the Enterprise Directory 
server. 

The host value can also be the 
FQDN. 

User LDAP Port 

389 


Port that the Client Enablement 
Services computer will use to 
communicate with the Enterprise 
Directory server. 

Note: 

You must install the Client 
Enablement Services template 
over the non-secure port (389) 
for LDAP connection. If you 
want to establish a secure 
connection, this can be done 
later using the Client 
Enablement Services 
administration client. For more 
information, see the 
Appendices in this document. 

User LDAP Domain 

users.domain.x 
yzcorp.com 


The domain name of the user 
configured on the Enterprise 
Directory server. 

User LDAP 

UserName 

admin_service 

_user 


Enterprise Directory user that you 
created for the Client Enablement 
Services administrative service 
account. 

Note: 

The user must be a member of 
the Client Enablement 

Services administrator's 
security group created for this 
install. Client Enablement 
Services uses this user for 
assigning permissions to users 
for performing administrative 
tasks. 

User LDAP 

Password 



Password for the Client 
Enablement Services 
administrative service account. 
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Property Name 

Property values 

Notes 

Example value 

Your value 




For password rules, see Creatinq 
the Avava one-X Client 

Enablement Services 
administrative service account on 

page 36. 

Is Group LDAP on 
different forest? 



Select the check box if the Group 
LDAP is on a different forest. 

Group LDAP Host 

###.###.###.# 

## 


IP address of the computer that 
hosts the Resource Enterprise 
Directory server. 

The host value can also be the 
FQDN. 

Group LDAP Port 

389 


Port that the Client Enablement 
Services computer will use to 
communicate with the Resource 
Enterprise Directory server. 

Note: 

You must install the Client 
Enablement Services template 
over the non-secure port (389) 
for LDAP connection. If you 
want to establish a secure 
connection, this can be done 
later using the Client 
Enablement Services 
administration client. For more 
information, see the 
Appendices in this document. 

Group LDAP 

Domain 

groups.domain 

.xyzcorp.com 


The domain name of the group 
configured on the Enterprise 
Directory server. 

Group LDAP 
UserName 

group_!dap_us 

er 


For same forest configuration, the 
user name is the Enterprise 
Directory user that you created 
for the Client Enablement 
Services administrative service 
account in the User LDAP. This 
user must also authenticate the 
Group LDAP. 

For different forest configuration, 
the user name is the secondary 
Client Enablement Services 
administrative account that you 
created in the Group LDAP. 
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Property Name 

Property values 

Notes 

Example value 

Your value 

Group LDAP 
Password 



Password for this user account. 
For password rules, see Creatina 
the Avava one-X Client 

Enablement Services 
administrative service account on 

page 36. 

Note: 

For information on other LDAPs such as Active Directory (Single Domain), SUN Directory 
Server Enterorise Edition, IBM Domino Server and Novell eDirectorv, see LDAP 
Information field descriptions on paae 115. 

LDAP Configuration 

Admin Group DN 

cn=oneXCESA 
dmin,cn=users 
,dc=groups,dc= 
domain,dc=xyz 
corp,dc=com 


The template installation uses the 
administrator security group to 
assign permissions to users who 
will administer Client Enablement 
Services in the Administration 
application. 

Audit Group DN 

cn=oneXCESA 

udit,cn=users,d 

c=groups,dc=d 

omain,dc=xyzc 

orp,dc=com 


The template installation uses the 
auditor security group to assign 
permissions to users who will 
have read-only access to the 
Client Enablement Services 
configuration in the 

Administration application. 
Members of the auditor security 
group cannot make changes to 
the Client Enablement Services 
configuration in the 

Administration application. 

User Group DN 

cn=oneXCESU 

ser,cn=users,d 

c=groups,dc=d 

omain,dc=xyzc 

orp,dc=com 


The template installation uses the 
user security group to assign 
permissions to users who will 
access the Client Enablement 
Services application. 

SIP Local 

SIP Local Domain 

sip. domain, xyz 
corp.com 


The local domain for SIP. 

The value in this field must match 
the Authoritative Domain name in 
the Communication Manager ip- 
network-region form or the 
Routing Domain name in Session 
Manager. 
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Property Name 

Property values 

Notes 

Example value 

Your value 

SIP Local Port 

5060 


The local port number for SIP. 

Note: 

If you select the SIP Secure 
Port check box, the port 
number is 5061. 

SIP Secure Port 



Check box to secure the SIP 
port. 

Handset Server/Service 

Install Handset 
Server 



Check box to install the Handset 
Server on the Co-resident Server, 
that is, on the same server on 
which you install Client 
Enablement Services. 

The system installs IHS on the 
Co-resident Server irrespective of 
you selecting or clearing the 
check box. 

Use SSL 



Check box to secure connection 
between Handset Server and 
Handset Service. 

Handset Server Port 

7777 


Port on which the Handset Server 
listens for incoming connections 
from mobile clients. 

Handset Service 

Port 

8888 


The listening port of the Handset 
Service. 

Transcoding Server 

Transcoding Server 
Port 

8090 


Port on which the Transcoding 
Server listens for incoming 
connections. 

System Manager (SMGR) details 

SMGR Host 

## 


IP address of the system hosting 
System Manager. 

SMGR Port 

443 


Port on which System Manager 
listens for trust management 
requests. 

This is the port where Client 
Enablement Services contacts 
System Manager. The System 
Manager generates the Client 
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Property Name 

Property values 

Notes 

Example value 

Your value 




Enablement Services’ personal 
certificate. 

SMGR Enrollment 
Password 



Enrollment password for System 
Manager 

WebLM Details 

System Manager 
(SMGR) WebLM Port 

52233 


The port number for System 
Manager (SMGR) WebLM. 

Note: 

If the WebLM is local, the port 
is 8443. 


Software download 


Software download checklist 

Use the following checklist to download System Platform and Client Enablement Services 
software. As you complete a task, make a check mark in the column. 

Note: 

Downloading software from PLDS is optional if you already have System Platform and Client 
Enablement Services software on the optical media. 


✓ 

Task 

References 

Notes 


Register for PLDS. 

See Reaisterina for PLDS on 
page 45. 



Download System 
Platform and Client 
Enablement Services 
software from PLDS. 

See Downloadina software in 
PLDS on oaqe 45. 
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Registering for PLDS 

Procedure 

1. Go to the Avaya Product Licensing and Delivery System (PLDS) Web site at https:// 
plds.avava.com . 

The PLDS Web site redirects you to the Avaya single sign-on (SSO) Web page. 

2. Log in to SSO with your SSO ID and password. 

The PLDS registration page is displayed. 

3. If you are registering: 

• as an Avaya Partner, enter the Partner Link ID. If you do not know your Partner 
Link ID, send an e-mail to prmadmin@avaya.com. 

• as a customer, enter one of the following: 

- Company Sold-To 

- Ship-To number 

- License authorization code (LAC) 

4. Click Submit. 

Avaya will send you the PLDS access confirmation within one business day. 


Downloading software in PLDS 

Procedure 

1. Type http://pids.avava.com in your Web browser to access the Avaya PLDS 
Web site. 

2. Enter your Login ID and password to log on to the PLDS Web site. 

3. Select Assets from the Home page and select View Downloads. 

4. Search for the available downloads using one of the following methods: 

• By Actual Download name 

• By selecting an Application type from the drop-down list 

• By Download type 

• By clicking Search Downloads 

5. Click the download icon from the appropriate download. 
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6. When the system displays the confirmation box, select Click to download your 
file now. 

7. If you receive an error message, click on the message, install Active X, and continue 
with the download. 

8. When the system displays the security warning, click Install. 

When the installation is complete, PLDS displays a check mark next to the 
successfully completed download. 


Template installation 

To install Client Enablement Services, you must first install System Platform and then install 
the Client Enablement Services (solution) template. 

After installing the template, manage the template from the System Platform Web Console. 


Prerequisites for installing a solution template 

Make sure that the IP addresses for the avprivate bridge do not conflict with any other IP 
addresses in your network. 

Go to the Network Configuration Web page on the System Platform Web Console (Server 
Management > Network Configuration) to view the addresses that are allocated to avprivate. 
The range of IP addresses starts with System Domain's (Domain-0) interface on avprivate. 
Provide IP to Console Domain in the same subnet. If any conflicts exist, resolve them by 
assigning System Domain an IP address on a subnet that is unused in your network. The 
template you install will take additional addresses on the private bridge. 

The avprivate bridge is an internal, private bridge that allows virtual machines to communicate 
with each other. This private bridge has no connection to your LAN. During installation, System 
Platform runs an algorithm to find a set of IP addresses that do not conflict with the addresses 
configured on the System Domain Network Configuration page. However, it is still possible that 
the addresses selected conflict with other addresses in your network. Since this private bridge 
is isolated from your LAN, this address conflict could result in the failure of System Platform 
or an installed template to route packets correctly. 


Downloading template files 

Procedure 

1. To install the template by selecting the SP Server option, download the following .tar 
files: 
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• oneXCES_61_1 .taraa 

• oneXCES_61_1 .tarab 

• oneXCES_61_1 .tarac 

• oneXCES_61_1 .tarad 

• oneXCES_61_1 .tarae 

• oneXCES_61_1 .taraf 

2. Copy the above files at location /vsp-tempiate/ on cdom. 

3. Using the SSH terminal of cdom, extract or untar the template files using the 
command: cat oneXCES_6l_l. tara* | (tar x) from the location /vsp- 
template/. 

The system creates the following files in a directory labeled with the version that 
you downloaded, for example, /vsp-tempiate/6.1.1.0.23: 

• backup_onexps.sh 

• lv_rhel.img.gz 

• onexps_template.mf 

• onexps_template_24GB.ovf 

• onexps_template_l6GB.ovf 

• post_install.sh 

• preweb.war 

• restore_onexps.sh 

• patchplugin_onexps.sh 

• versioninfo_onexps.sh 

You can verify the checksum of downloaded files using a shalsum tool. The 
shalsum tool is available as a freeware from Internet. 

4. To verify the file checksum, use the command: shalsum * 

Compare the results with the checksum information listed in the 

onexps_template. mf file. 
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Installing a solution template 

Note: 

Restart the cdom using its Web administration console after you delete the existing template, 
before you install a new template. 

Before you begin 

Complete all preinstallation and configuration worksheets and checklists, including the 
following: 

• Installation worksheet: information required by template installation on page 39 

• Configure NTP before proceeding with the Client Enablement Services installation 

Procedure 

1. Log in to the System Platform Web Console as admin/adminoi. 

2. Click Virtual Machine Management > Solution Template. 

The system displays the Search Local and Remote Template Web page. Use this 
page to select the template that you want to install on System Platform. 

3. Select a location from the list in the Install Templates From box. 

• Select Avaya Downloads (PLDS) and in the Template Location field, provide 
the PLDS URL. 

• Select HTTP and in the Template Location field, provide the U RL of the HTTP 
server where the template files exist. 

• Select SP Server if the template files are copied to the /vsp-tempiate/ 
directory of the System Platform server and this option is used to install the 
Client Enablement Services template. 

• Select SP CD/DVD. 

Note: 

If you plan to install the Client Enablement Services template files from a 
DVD, then you must use a Double-Layer DVD media so that the template 
files fit into a single DVD. 

• Select SP USB Disk. 

Note: 

If you plan to install the Client Enablement Services template files from a 
USB, then you must ensure that the template files fit into a single USB. 
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4. Click Search to display a list of template descriptor files. Each available template 
has one template descriptor file. 

5. On the Select Template Web page, select a template from following types, and then 
click Select to continue. 

• onexps_tempiate_i 6 gb . ovf . If the system on which you are installing 
Client Enablement Services has 16 GB or more RAM, use this template. 

• onexps_tempiate_2 4GB. ovf. If the system on which you are installing 
Client Enablement Services has 24 GB or more RAM, use this template. 

Note: 

All templates have same functionality. Select a template based on the RAM of 
the system. If you are using a Dell server, you must use the 

onexps_template_2 4GB. ovf template. 

The system displays the Template Details Web page with information on the 
selected template and its Virtual Machines. 

6. Click Install to start the template installation. Follow the installer prompts and enter 
the required information from the installation worksheet. 


Search Local and Remote Template field and button descriptions 


Field 

Description 

Install Template From 

The locations from which you can select a 

template and install it on System Platform. 

The available options are: 

• Avaya Downloads (PLDS): The template 
files are located in the Avaya Product 
Licensing and Delivery System (PLDS) 
Web site. You must enter an Avaya SSO 
login and password. The list contains all 
the templates to which your enterprise is 
entitled. Each line in the list begins with the 
sold-to number to allow you to select the 
appropriate template for the site where you 
are installing. Hold the mouse pointer over 
the selection to view more information 
about the “sold-to” number. 

• HTTP: The template files are located on an 
HTTP server. You must enter the template 
URL information. 

• SP Server: The template files are located 
in the / vsp-template file system in the 
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Field 

Description 


Console Domain of the System Platform 
server. 

• SP CD/DVD: The template files are located 
on a DVD in the DVD drive on the server. 

• SP USB Disk: The template files are 
located on a USB flash drive connected to 
the server. 

SSO Login 

Active only when you select the Avaya 
Downloads (PLDS) option to search for a 
template. 

Login id for logging on to Single Sign On. 

SSO Password 

Active only when you select the Avaya 
Downloads (PLDS) option to search for a 
template. 

Password for Single Sign On. 

Template Location 

Active only when you select the HTTP or SP 
Server option to search for a template. 

Search 

Searches for template descriptor files. Each 
available template has one template 
descriptor file. 


Template Details field and button descriptions 


Name 

Description 

Product ID 

Displays the Client Enablement Services 
template name. 

Product Vendor 

Displays the Client Enablement Services 
template vendor. 

Product Version 

Displays the Client Enablement Services 
template version. 

Install 

Installs the solution template. The system 
displays this button only if there is no 
template currently installed on System 
Platform. 

Cancel 

Cancels the installation of Client Enablement 
Services and discards all information 
entered in the template installation. 
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Avaya one-X® Client Enablement Services template installation 
screens 

Client Enablement Services template installation 

Note: 

Before you start the template installation, you must disable the pop-up blocker in the 
browser, as the pre-install plug-in will open as a pop-up. 

The Client Enablement Services template installation includes the following configurations 
pages: 

• Network settings 

• License 

• NTP Server 

• LDAP Details 

• LDAP Groups 

• SIP Local 

• Handset Server 

• Transcoding Server 

• System Manager (SMGR) 

• WebLM 

• Summary 

You must enter all the details in the template installation. Skipping any details would result in 
improper installation/functioning of Client Enablement Services. 

All the fields in the template installation are mandatory except the one for System Manager 
(SMGR), if System Manager is not present at the time of the Client Enablement Services 
installation. 

Note: 

If you want to integrate Presence Services with Client Enablement Services, then the order 
of installation is System Manager-> Presence Services-> Client Enablement Services. You 
must provide the System Manager credentials during the Client Enablement Services 
installation, as Presence Services will not function properly otherwise. 

The following buttons are available on some or all of the template installation screens: 
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Name 

Description 

Cancel Installation 

Cancels the installation of Client Enablement 
Services and discards all information 
entered in the template installation. 

Previous Step 

Returns to the previous installer screen. 
However, the system does not discard the 
information entered in the current screen. 

Next Step 

Saves the information entered in the current 
screen and moves to the next installer 

screen. 


Cancelling installation 

About this task 

You can cancel the installation anytime by clicking on the Cancel Pre-Install Plugin link on 
any of the Client Enablement Services installation pages. The pre-install plug-in is nothing but 
the template installation mentioned in the previous pages. 

Procedure 

1 . On the Client Enablement Services template installation page, click the Cancel Pre- 
Install Plugin link on the left pane. 

The system displays the confirmation dialog. 

Note: 

If you cancel the installation, the plug-in does not install Client Enablement 
Services. 

2. Click OK to abort the installation. 


Network Settings field descriptions 


Name 

Description 

one-X CES IP 

Enter the IP address of the Client 
Enablement Services system. 

one-X CES FQDN 

Enterthe Fully Qualified Domain Name of the 
Client Enablement Services system. 

For example: 

onexcesl 00.sysucd.avaya.com 
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one-X CES License Agreement field descriptions 


Name 

Description 

1 accept the terms of license agreement 

Records that you have agreed to the terms 
of the agreement and continues with the 
Client Enablement Services installation. 


NTP Server Details field descriptions 

A NTP server provides the correct network time on your computer network using the Network 
Time Protocol (NTP). You can use NTP to synchronize the time on computers across a 
network. 


Name 

Description 

NTP Serverl 

IP address or FQDN of the computer that 
hosts the NTP Server 1. This field is 
mandatory. 

NTP Server2 

IP address or FQDN of the computer that 
hosts the NTP Server 2. 

NTP Server3 

IP address or FQDN of the computer that 
hosts the NTP Server 3. 


LDAP Information field and button descriptions 

The template installation uses this information to configure the connection between Client 
Enablement Services and the Enterprise Directory server. 

If the Enterprise Directory has users defined in one domain and security groups defined in 
another domain, the template installation presents you with Enterprise Directory configuration 
screens for the User and Group domains. Configure the user domain in the first section and 
the resource domain for security group in the second section. 

Note: 

The split configuration is only supported and available with Microsoft Active Directory and 
not with other Enterprise Directories. 


Name 

Description 

LDAP Type 

Select Active Directory (Split Domain) 

from the field. 
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Name 

Description 


Note: 

For information on other LDAPs such as 
Active Directory (Single Domain), SUN 
Directory Server Enterprise Edition, IBM 
Domino Server and Novell eDirectory, see 
LDAP Information field descriotions on 

page 115. 

User LDAP Host 

IP address of the computer that hosts the 
Enterprise Directory server. 

The host value can also be the FQDN. 

This is the user LDAP with all the 
administered users. 

User LDAP Port 

Port that Client Enablement Services uses to 
communicate with the Enterprise Directory 
server. 

Note: 

You must install the Client Enablement 
Services template over the non-secure 
port (389) for LDAP connection. If you 
want to establish a secure connection, 
you can perform this later using the Client 
Enablement Services administration 
client. For more information, see the 
Appendices in this document. 

User LDAP Domain 

The domain name of the user you configured 
on the Enterprise Directory server. 

User LDAP UserName 

Enterprise Directory user that you created for 
the Client Enablement Services 
administrative service account. 

Note: 

The user must be a member of the Client 
Enablement Services administrator's 
security group created for this install. 
Client Enablement Services uses this user 
for assigning permissions to users for 
performing administrative tasks. 

User LDAP Password 

Password for the Client Enablement 

Services administrative service account. 

Confirm 

Confirm password for the Client Enablement 
Services administrative service account. 

Is Group LDAP on different forest? 

Select the check box if the Group LDAP is on 
a different forest. 

Group LDAP Host 

IP address of the computer that hosts the 
Resource Enterprise Directory server. 
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Name 

Description 


The host value can also be the FQDN. 

This is the group LDAP with all the 
administered Client Enablement Services 
security groups. 

Group LDAP Port 

Port that the Client Enablement Services 
computer will use to communicate with the 
Resource Enterprise Directory server. 

Note: 

You must install the Client Enablement 
Services template over the non-secure 
port (389) for LDAP connection. If you 
want to establish a secure connection, 
you can perform this later using the Client 
Enablement Services administration 
client. For more information, see the 
Appendices in this document. 

Group LDAP Domain 

The domain name of the group configured on 
the Enterprise Directory server. 

Group LDAP UserName 

For same forest configuration, the user name 
is the Enterprise Directory user that you 
created for the Client Enablement Services 
administrative service account in the User 
LDAP. This user must also authenticate the 
Group LDAP. 

For different forest configuration, the user 
name is the secondary Client Enablement 
Services administrative account that you 
have created in the Group LDAP. 

Group LDAP Password 

Password for this user account. 

Confirm 

Confirm password for the Client Enablement 
Services administrative service account. 


LDAP Configuration field and button descriptions 


Name 

Description 

Admin Group DN 

Security group for Client Enablement 
Services administrators. 

Example values: 

cn=oneXCESAdmin,cn=users,dc=group 

s,dc=domain,dc=xyzcorp,dc=com 

Auditor Group DN 

Security group for Client Enablement 
Services auditors. 
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Name 

Description 


Example values: 

cn=oneXCESAudit,cn=users,dc=group 

s,dc=domain,dc=xyzcorp,dc=com 

User Group DN 

Security group for Client Enablement 
Services users. 

Example values: 

cn=oneXCESUser,cn=users,dc=groups, 

dc=domain,dc=xyzcorp,dc=com 


SIP Local field descriptions 


Name 

Description 

SIP Local Domain 

Enter the local domain for SIP. 

The value in this field must match the 
Authoritative Domain name in the 
Communication Manager ip-network-region 
form or the Routing Domain name in Session 
Manager. 

SIP Local Port 

Enter the local port number for SIP. 

The default port is 5060. 

Note: 

If you select the SIP Secure Port check 
box, the port number is 5061. 

SIP Secure Port 

Select the check box if the SIP port is 
secure. 


Handset Server/Service field descriptions 


Note: 

Once you select a Handset Server configuration, Standalone or Co-resident, and complete 
the installation, then you cannot change the Handset Server configuration. The only way 
you can change the configuration is by reinstalling the entire template. 


Name 

Description 

Install Handset Server 

Select this check box to install the Handset 
Server on the Co-resident Server, that is, the 
same server on which you installed Client 
Enablement Services. 
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Name 

Description 

Use SSL 

Select this check box to secure connection 
between Handset Server and Handset 
Service. 

Handset Server Port 

Enter the port on which the Handset Server 
listens for incoming connections from mobile 
clients. 

The default port is 7777. 

Note: 

You can change this value later, if 
required, from the 

handset_server. properties file 
or from the Handset Configuration screen 
in the Client Enablement Services 
administration client. 

For information on changing the value 
from the 

handset_server. properties file, 
see Handset Server confiauration on 
page 70. 

For information on changing the value 
from the administration client, see 
Administering Avaya one-Xf Client 
Enablement Services. 

Handset Service Port 

Enter the listening port of the handset 
service. 

The default port is 8888. 

Note: 

You can change this value later, if 
required, from the 

handset_server.properties file 
or from the Handset Configuration screen 
in the Client Enablement Services 
administration client. 

For information on changing the value 
from the 

handset_server. properties file, 
see Handset Server confiauration on 
page 70. 

For information on changing the value 
from the administration client, see 
Administering Avaya one-X ® Client 
Enablement Services. 
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Transcoding Server field descriptions 


Name 

Description 

Transcoding Server Port 

Enter the port on which the Transcoding 
Server listens for incoming connections. 

The default port is 8090. 


System Manager (SMGR) details field descriptions 

Note: 

This screen is optional. The details are required only for Session Manager and Presence 
Services integration. 


Name 

Description 

SMGR Host 

Enter the network host address of System 
Manager. It can be defined either as FQDN 
or as an IP address. 

SMGR Port 

Enter the port on which the System Manager 
listens for trust management requests. 

This is the port where Client Enablement 
Services contacts System Manager. The 
System Manager generates the Client 
Enablement Services’ personal certificate. 
The default port is 443. 

SMGR Enrollment Password 

Enter the enrollment password for System 
Manager. 

This is the password configured at System 
Manager in the security-certificates section. 

Confirm 

Confirm password for the SMGR 
enrollment. 


WebLM Details field descriptions 


Name 

Description 

Local WebLM 

Click this option if WebLM of System 

Platform is used. 
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Name 

Description 


Note: 

If you select this option, the System 
Manager (SMGR) WebLM Port field is 
not available. 

Remote System Manager (SMGR) WebLM 

Click this option if WebLM of remote System 
Manager is used. 

System Manager (SMGR) WebLM Port 

The port number for System Manager 
(SMGR) WebLM. 

The default value is 52233. 


Summary of Client Enablement Services installation 

This screen summarizes the selections and configuration information that you entered in the 
template installation. 

Review this summary carefully. To change any of the configuration information, click Previous 
Step. 


Completing the Client Enablement Services installation 

Procedure 

Click Install to continue with the Client Enablement Services installation. 

The system closes the summary page and the installation continues. Once the 
installation is complete, the system displays the following message: Template 
Installation Completed Successfully. 

Note: 

Once the installation is complete, you must manually reboot the Client Enablement 
Services server from the cdom. Log in to the cdom as admin/adminOi and click 
Virtual Machine Management > Manage. Select the one-X CES virtual machine 
and click Reboot. 
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Verifying the installation 

Procedure 

1. Log in to the Client Enablement Services administration client using the credentials 
provided in the template installation for the User LDAP UserName and User LDAP 
Password fields. 

The default Web page address is https://<one-x ces ip or fqdn>/ 
admin, where one-X CES IP or FQDN is the IP address or the Fully Qualified 
Domain Name (FQDN) of the computer that hosts Client Enablement Services. 

For example, if the name of the computer that hosts Client Enablement Services is 
onexcES and the domain is xyzcorp. com, the Web page address for your 
Administration application is https : //oneXCES . xyzcorp. com/admin/. 

2. On the administration client, check whether you can view the tabs: Home, Users, 
Servers, Scheduler, System, and Monitors. 

3. Click the System tab. 

4. In the left pane, select General. 

The Application Server Version field displays the version of Client Enablement 
Services. If the version number matches the version of Client Enablement Services 
that you installed, this indicates that the installation is completed correctly. 


Logging in to the Avaya one-X® Client Enablement Services 
server using SSH 

About this task 

You can open an SSH session to the Client Enablement Services server. You can either use 
the user name root and password rootOI or the user name craft and password craftOI to 
log in to the system. These are default passwords, and you can change them. 

Craft is a general user; therefore, you must use the root login to perform system administration 
tasks. 

To change the password of the user name root, perform the following tasks: 
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Procedure 

1. Log in to the Client Enablement Services server as craft/craftoi and then 
switch the user to root using the command su - root and password rootOI. 

2. In the command prompt, type the command passwd. 

The system displays the message: Changing password for the user 
root. 

3. Enter the new password in the New UNIX password field. 

4. Re-type the password in the Retype new UNIX password field. 

The system displays a message: all authentication tokens updated 
successfully. 

Note: 

Once you change the default password for the root user, use this password for 
subsequent tasks where you use the root login. 


Setting up Avaya one-X® Client Enablement Services 

To configure the Client Enablement Services system, see Administering Avaya one-X® Client 
Enablement Services. 
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Chapter 4: Installing, configuring, and 

upgrading the Handset Server 


Handset Server checklist 

Use the following checklist to install, configure, and upgrade the Handset Server. You can also 
administer and uninstall the IBM HTTP Server. As you ensure that a task is complete, make a 

check mark in the column. 


✓ 

Task 

References 

Notes 


Install Standalone 
Handset Server 

See Prereauisites on 
page 65 




See Installina server with direct 
access on paqe 67 or 
see Installina server with only 
ssh access on oaqe 68 




See Connectina IBM HTTP 
Server with Client Enablement 

Services for downloadinq 

mobile applications from the 

Standalone system on 
page 69 



Install Co-resident 
Handset Server 

See Installina on paqe 70 



Configure Handset 
Server 

See Handset Server 
confiauration on paqe 70 



Check Handset Server / 
IBM HTTP Server 
version 

See Checkinq Handset Server / 
IBM HTTP Server version on 
page 75 



Upgrade the Handset 
Server 

See Upqradinq the Handset 
Server on paqe 76 
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✓ 

Task 

References 

Notes 


Administer the IBM 
HTTP Server 

See IBM HTTP Server 
administration and 
maintenance on paqe 76 



Uninstall the 

Standalone Handset 
Server 

See Uninstallina the 

Standalone Handset Server on 

page 81 



Uninstall the 

Standalone IBM HTTP 
Server 

See Uninstallina the 

Standalone IBM HTTP 

Server on paqe 82 



Handset Server installation 

The Handset Server is required for functionality related to Avaya one-X® Mobile. 

There are two deployment options for Handset Server installation: 

• Co-resident installation: The Handset Server is installed on the same server where Client 
Enablement Services is installed. This deployment option supports a Handset Server that 
is co-resident with Client Enablement Services on a System Platform template and 
supports Reverse Proxy deployment. 

By default, the system selects the Install Handset Server check box during the Client 
Enablement Services template installation. The Handset Server is installed at /opt/ 
avaya/HandsetServer. The system installs the IHS on the Co-resident Server 
irrespective of you selecting or clearing the check box. 

Use the Co-resident IHS for handling internal HTTP traffic to the IHS, that is, the Client 
Enablement Services administration client and not the IBM console. Use the Standalone 
IHS for handling Internet traffic, that is, mobile application download. When the Handset 
Server is co-resident, the single Co-resident IHS plays both roles. 

On a Reverse Proxy deployment, if you upgrade Client Enablement Services and if the 
IHS has been hardened previously; the IHS must be re-hardened as the template upgrade 
does a fresh OS install. 

• Standalone installation: The Standalone Server installation is performed on a separate 
server, typically located in the DMZ that is running the Handset Server service. To 
implement this, you must install and configure a separate RedHat server with an IP 
address. The IHS software is located on the Client Enablement Services server under / 
opt/avaya and the installation package is called RHServer.bin. You must copy this 
package from the Client Enablement Services server to the target RedHat server that will 
host this application. Install RHServer.bin using the steps in the following section. 


64 Implementing Avaya one-X® Client Enablement Services Release 6.1 SP1 February 2012 

Comments? infodev(a>avava.com 



















Handset Server installation 


Standalone Handset Server installation 

You can install the standalone Handset Server using any of the following options: 

• Server with direct access 

• Server with only ssh access 


Note: 

If the Handset Server is standalone, you must install Client Enablement Services first and 
then the Handset Server. Installing Handset Server prior to installing Client Enablement 
Services will cause the Handset Server to time-out. 


Prerequisites 

The server must meet the following prerequisites for installing the Handset Server on a 
Standalone Server. 

Operating System RHEL Enterprise Linux 5.0 (64 bit) 

CPU Dual quad-core processors (2.4 GHz or higher) 

Memory 4 GB of RAM 

Hard drive 2 * 146 GB (RAID 1) 

Note: 

The versions of Avaya and third-party products mentioned in this guide are likely to change 
as Avaya tests and certifies later versions of supported products. To know about the latest 
versions of products that Client Enablement Services Release 6.1 SP1 supports, refer to 
the Avaya Support Web site, http://www.avava.com/support . 

Open ports 

Several ports have to be open for the DMZ HTTP/Handset Server to work. 

Note: 

For new installation, HTTP is disabled by default. 


Server 

Open Port 

Protocol 

Required 

Direction 

HTTP Server 

443 

https 

Yes 

Open from 

Public Internet to 
HTTP Server 

HTTP Server 

22 

ssh 

Yes 

Open from 
inside the 
corporate 
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Server 

Open Port 

Protocol 

Required 

Direction 





firewall of Client 
Enablement 
Services to 

HTTP Server 

HTTP Server 

8008 

https 

Yes 

Open from 
inside the 
corporate 
firewall of Client 
Enablement 
Services to 

HTTP Server 

Client 

Enablement 

Services 

9443 

https 

Yes 

Open from 

HTTP Server to 
Client 

Enablement 

Services 

Handset Server 

7777 

(configurable) 

xSocket using 
SSL v3 

Yes 

Open from 

Public Internet to 
Handset Server 

Client 

Enablement 

Services 

8888 

(configurable) 

xSocket using 
SSL v3 

Yes 

Open from 
Handset Server 
to Client 
Enablement 
Services 


Domain Name System 

The IHS must resolve two fully qualified domain names (FQDNs). First, it has to resolve itself. 
Second, it has to resolve the domain name of the Client Enablement Services server. Either 
the Domain Name System (DNS) Servers must be accessible from the IHS Server, or the IHS 
Server’s /etc/hosts file has to have these two entries added. You need to add these two 
entries only if the DNS server cannot resolve the FQDN to IP. 

An example of these /etc/hosts entries are: 

Example 

198.152.10.235 dmzihsserver.example.com dmzihsserver 

192.168.1.100 onexCES.inside.example.com onexCES 

Test whether the hosts are resolvable 

To test if these hosts are resolvable, from the dmz server run: hostname -long and wget 

https:// <lxCESHostName> :9443/mobileapps 

For example, if /etc/hosts is setup up as in the /etc/host example above: 

# hostname -long 
dmzihsserver.example.com 

#wget https:// onexCES:9443/mobileapps 
—08:21:56— https:// onexCES:9443/mobileapps 
=> 'mobileapps' 
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Resolving onexCES... 192.168.1.100 

Connecting to onexCES 1192.168.1.100 | : 9443 . . . connected. 

HTTP request sent, awaiting response... 302 Found 
Location: https:// onexCES:9443/mobileapps/ [following] 

—08:21:57— https:// onexCES:9443/mobileapps/ 

=> 'index.html.1 1 

Reusing existing connection to onexpslOO:9443. 

HTTP request sent, awaiting response... 200 OK 
Length: 779 [text/html] 

100%[==========================================================>] 779 

K/s 

08:21:57 (61.91 MB/s) - 'index.html.1’ saved [779/779] 


Installing server with direct access 

Before you begin 

• Log in to the shell as a root user. 

• The Handset Server installer must have executable permissions. You can use the 
command chmod +x RHServer. bin to provide this permission. 

Procedure 

1. Copy the RHServer. bin file to the/tmp directory on your system. 

The RHServer.bin file is available in the template provided with PLDS. 

2. Launch the installer by using the command . /RHServer.bin 
Enter the name of the installation directory. 

3. In the Handset Server IP field, enter the IP address of the computer on which you 
are installing the Handset Server. 

4. In the Handset Server port field, enter the port on which the Handset Server listens 
for incoming connections from mobile clients. 

The default value is 7777. 

5. In the Handset Services IP field, enter the IP address of the Client Enablement 
Services server. 

6. In the Handset Services port field, enter the listening port of the Handset 
Service. 

The default value is 8888. 

7. Select the Use SSL check box to secure connection between Handset Server and 
Handset Service. 

8. Click Next and complete the installation. 
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Note: 

Once the installation of Handset Server is complete, exit and re-login the shell 
before starting the Handset Server. 


Installing server with only ssh access 

Before you begin 

• Log in to the shell as a root user. 

• The Handset Server installer must have executable permissions. You can use the 
command chmod +x RHServer. bin to provide this permission. 

Procedure 

1. Copy the RHServer. bin file to the/tmp directory on your system. 

The RHServer.bin file is available in the template provided with PLDS. 

2. Open ssh session with the server and navigate to the directory where the installer 
is located. 

3. Launch the installer by using the command . / <RHServer ,bin> -console 

4. In the Handset Server IP field, enter the IP address of the computer on which you 
are installing the Handset Server. 

5. In the Handset Server port field, enter the port on which the Handset Server listens 
for incoming connections from mobile clients. 

The default value is 7777. 

6. In the Handset Services IP field, enter the IP address of the Client Enablement 
Services server. 

7. In the Handset Services port field, enter the listening port of the Handset 
Service. 

The default value is 8888. 

8. Set the SSL value to True. 

9. Complete the installation by following the system prompts. 

Note: 

Once the installation of Handset Server is complete, exit and re-login the shell 
before starting the Handset Server. 


68 Implementing Avaya one-X® Client Enablement Services Release 6.1 SP1 February 2012 

Comments? infodev@avava.com 





Handset Server installation 


Connecting IBM HTTP Server with Client Enablement Services for 
downloading mobile applications from the Standalone system 

If you deploy the IHS on a Standalone system, you must perform the steps in this section for 
the Client Enablement Services server to interact with the IHS, before the mobile applications 
are available for download from the Standalone system. 

You must perform the steps in this section each time you install or upgrade Client Enablement 
Services. 

Before you begin 

Ensure that the Client Enablement Services server and the Standalone IHS are running. 

Procedure 

1. In the SSH terminal session on the Client Enablement Services server, log in as 
craft/craftoi and then switch the user to root using the command su - root 
and password rootOI. 

2. Change to the /opt/avaya/ixp directory using the cd /opt/avaya/ixp 
command. 

3. Edit the config.properties file in the /opt/avaya/ixp directory to add the 
following property: 

• dmz.ihs.host=< IP Address of the Standalone Handset Server> 

4. To configure the IHS on WAS, run the run_config_httpservers_jython.pl 
command in the /opt/avaya/ixp directory. 

5. Copy the plug-in files from the Client Enablement Services server to the Standalone 
IHS using the scp /opt/IBM/WebSphere/AppServer70/profiles/ 

default/conf ig/cells/<Host Name of the Client Enablement 
Services ,Server>Node01Cell/nodes/<IP Address of the 
Standalone Handset Server>-node/servers/dmzwebserver/plugin- 

* <Login User Name of the Standalone Handset Server>Q<IP 
Address of the Standalone Handset Server>:/ opt/IBM/ 
HTTPServer/Plugins/conf ig/dmz Webserver/ command. 

6. In the SSH terminal session on the Standalone Handset Server, change the group 
of the plug-in files copied on the Standalone system to appsvr using the command: 

chgrp appsvr /opt/IBM/HTTPServer/Plugins/config/ 
dmzWebserver/* 

7. Restart the IHS services using the service ihs restart and service 
ihs_admin restart commands. 
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8. To download the active mobile applications on the Standalone system, access the 

https ://<IP Address of the Standalone Handset Server>/ 
mobileapps/ Web site. 


Co-resident Handset Server installation 


Installing 

During the installation of the Client Enablement Services template, the system installs the co¬ 
resident Handset Server on the same server on which you installed Client Enablement 
Services. 

Procedure 

1. On the Handset Server / Service page of the Client Enablement Services template 
installation, ensure that the system selects the Install Handset Server check box 
by default. 

2. Select the Use SSL check box to secure connection between Handset Server and 
Handset Service. 

3. In the Handset Server Port field, enter the port on which the Handset Server listens 
for incoming connections from mobile clients. 

The default port is 7777. 

4. In the Handset Service Port field, enter the listening port of the handset service. 
The default port is 8888. 

5. Follow the installer prompts and enter the required information from the installation 
worksheet. For more information, see Installation worksheet: information required 
by template installation on page 39. 


Handset Server configuration 

The Handset Server configuration is stored in the handset_server. properties file that 
is located in the Handset Server installation directory, that is, /opt/avaya/ 

HandsetServer. 

During the installation, the system automatically populates this file with user input. Only the 
system administrator must modify this file. 
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The handset_server. properties file includes the following attributes. 

Note: 

If the system administrator makes changes in the handset_server .properties file, 
then you must stop and start the Handset Server. For more information, see Stopping the 
Handset Server on page 73 and Starting the Handset Server on page 74. 


Name 

Description 

hs_hostname 

The IP address or host name of the machine 
on which the Handset Server is running. 

use_ssl 

To secure network connections, set this 
property to true. 

The default value is true. 

port 

The Handset Server listens for incoming 
connections from the mobile clients on this 
port. 

The default value is 7777. 

hss_hostname 

The IP address or host name of the Client 
Enablement Services server on which the 
Handset Service runs. 

hss_port 

The Handset Service listens to incoming 
connections from the Handset Server on this 
port. 

The default value is 8888. 

hs.client.timeout 

The connection between the client and the 
Handset Server can be idle for the specified 
period, after which the connection is 
disconnected. 

The default value is 900 seconds. 

pipleline_idle_timeout 

The network connection can stay idle for the 
specified period, after which the network 
connection is disconnected. 

The default value is 20 seconds. 


Note: 

This parameter is very important. Any 
change in the parameter value can 
severely affect the performance of the 
Handset Server. 

pipeline_count 

The total number of simultaneous network 
connections with Handset Services. 

If you provision the server to support more 
number of simultaneous user connections, 
you must increase the pipeline count. 

The default value is 10. 
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Name 

Description 


Note: 

This parameter is very important. Any 
change in the parameter value can 
severely affect the performance of the 
Handset Server. 

pipeline_recovery_retry_delay 

Before attempting to reconnect to Handset 
Services, the system waits for the specified 
duration. 

The default value is 60 seconds. 

log_client_io 

To log the client I/O information, set this 
property to true. 

The default value is false. 

The system logs the client I/O information in 
the logs directory. 

Note: 

You must use this property for debugging 
purpose only. 

If you set this property to true, this property 
will negatively affect the performance of all 
I/O as the system dissects each data 
packet at the protocol level in order to log 
the information. 


Handset Services properties 

Handset Services use the Client API to provide Avaya one-X® Mobile users with access to their 
UC capabilities. The Handset Services manages all the users “sessions” cache data. 

The Handset Services configuration is stored in the HandsetServices .properties file 
that is located in the /opt/iBM/webSphere/AppServer70/iib/ext directory. In case of 
a Standalone Server, if you manually change the port information in the 
HandsetServices. properties file, then you must change the corresponding value in the 

handset_server. properties file that is located in the /opt/avaya/HandsetServer 

directory. 


Name 

Description 

cache_load_factor 

The cache load factor. 

The default value is 0.75F 

server_idle_timeout 

The period of inactivity after which the 
connection is closed. 

The default value is 20000. 

max_cache_size 

The maximum cache limit. 

The default value is 6500. 
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Name 

Description 

use_ssl 

To enable (secure) or disable (non-secure), 
set this property to true or false. 

The default value is true. 

port 

The port on which the Client Enablement 
Services server communicates with the 
Handset Server. 

The default value is 8888. 

min_cache_size 

The minimum cache limit. 

The default value is 50. 


Verifying whether the Handset Server is running 

Procedure 

1. Open terminal on the server where Handset Server is installed and run the 
Command: ps -ef | grep HandsetServer. 

2. If the Handset Server is running, the system displays its process. 


Example 

# ps -ef | grep HandsetServer root 17788 1 0 Jun27 ? 00:26:35 /opt/avaya/ 
HandsetServer/_jvm/bin/java -jar -server -XX:+MaxFDLimit - 
Dorg.xsocket.connection.server.ssl.sslengine. 

enabledCipherSuites=TLS_DHE_RSA_WITH_AES_12 8_CBC_SHA,TLS_DHE_DSS_WITH_ 

AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA -Dcom.sun.management.config. file=/ 
opt/avaya/HandsetServer/hsjmx.properties /opt/avaya/HandsetServer/lib/ 
RoutingHandsetServer.jar 


Stopping the Handset Server 

Procedure 

1. Log in to the Client Enablement Services server using SSH Terminal as craft/ 
craft01 and then switch the user to root using the command su - root and 
password rootOI. 

Note: 

In a Co-resident installation, you must log in to the Client Enablement Services 
server. However, in a Standalone installation, you must log in to the Handset 
Server. 


Implementing Avaya one-X® Client Enablement Services Release 6.1 SP1 


February 2012 73 











Installing, configuring, and upgrading the Handset Server 


2. On the shell prompt, type the service handset_server stop command to 
stop the Handset Server. 

This stops the Handset Server. 

You can view the Handset Server logs in the hs. log file located in the /opt/ 
avaya/Handset Server/logs directory. 

To check only the error information, view the hs_errors. log file located in the / 

opt/avaya/Handset Server/logs directory. 


Starting the Handset Server 

Procedure 

1. Log in to the Client Enablement Services server using SSH Terminal as craft/ 
craft01 and then switch the user to root using the command su - root and 
password rootOI. 

Note: 

In a Co-resident installation, you must log in to the Client Enablement Services 
server. However, in a Standalone installation, you must log in to the Handset 
Server. 

2. On the shell prompt, type the service handset_server start command to 
start the Handset Server. 

This starts the Handset Server. If the server starts successfully, you will see the 
following output. 

# service handset_server start 

Starting handset_server: [ OK ] 


Testing the IBM HTTP Server on the Handset Service 

Procedure 

You can test the IHS on the Handset Service using any of the following methods: 

• Log in to the mobile applications client. The default Web page address is 
https : //<one~X CES IP or FQDiV>/mobileapps, where the Client 
Enablement Services Server is the IP address or the Fully Qualified Domain 
Name (FQDN) of the computer that hosts Client Enablement Services. The 
system must display a page containing mobile downloads. 
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• Check the access_iog file using the command: tail -f /opt/IBM/ 
HTTPServer/iogs/access_iog. The log file will include content that indicates 
your access to the mobile applications. 


Cipher Suite 

A cipher suite is a named combination of authentication, encryption, and message 
authentication code (MAC) algorithms used to negotiate the security settings for a network 
connection using the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) network 
protocol. 

If your organization uses SSL Ciphers, you must modify the java command in the 
startServer. sh file to include a Dorg option. 

The cipher suite that works for both the Standalone and Co-resident Handset Server is: 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA 
,TLS_RSA_WITH_AES_128_CBC_SHA 

The command for enabling the Cipher Suite is 

java - 

Dorg.xsocket.connection.server.ssl.sslengine.enabledCipherSuites=TLS_DHE_R 
SA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_ 
128_CBC_SHA -jar /opt/avaya/HandsetServer/lib/RoutingHandsetServer.jar 


Checking Handset Server / IBM HTTP Server version 

Procedure 

1. To check the Handset Server version, view the hs. log file located in the /opt/ 
avaya/Handset Server/logs directory. 

2. To check the IHS version, change to the /opt/iBM/HTTPServer/bin directory 
and then use the . /versioninfo. sh command. 
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Upgrading the Handset Server 

Note: 

For upgrading the Handset Server, you do not need to uninstall the earlier installation. 

About this task 

To upgrade the Handset Server on the: 

• Standalone Server: Run the latest Handset Server installer, that is, RHServer.bin. 
Follow the installation prompts to complete the installation. 

• Co-resident Server: Run the Client Enablement Services install. When you upgrade Client 
Enablement Services, the system automatically upgrades the Handset Server on the Co¬ 
resident Server. 


IBM HTTP Server administration and maintenance 

The system configures the IHS during installation. The customer must not change the 
configuration other than installing third-party certificates, if required. 


Generating third-party certificates using GUI 

Before you begin 

To install a third-party certificate with a GUI interface, use the ikeyman tool available at /opt/ 
IBM/HTTPServer/bin/ikeyman. 

Note: 

The ikeyman tool can only be used from the console, a remote graphical user interface 
(VNC), or remotely using x-windows. 

Procedure 

1 . To access the keystore from ikeyman, click Key Database_File > Open. 

The system displays the Open window. 

Ensure that the default value in the Key database type field is CMS. 

2. Click Browse and navigate to the /opt/iBM/HTTPServer directory. 

3. Select the ihsserverkey . kdb file. 
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4. Click OK. 

5. Enter webAS as the keystore password. 

6. To create a third-party certificate request, click Create > New Certificate 
Request. 

The system creates a new certificate request file that has to be sent to a CA to 
request a certificate. After receiving back the signed certificate from that CA, put 
the signed certificate file into the IHS keystore using the Receive button. Ensure 
that when you receive the third-party certificate, you make it the default. 

7. To make the certificate default: 

a) In the Key database content section, select Personal Certificates, then select 
the third-party certificate. 

b) Click View/Edit. 

The system displays the Key information for window. 

c) Select the Set the certificate as the default check box. 

8. If the CA includes a signer certificate or intermediate CA certificates, you must add 
these to the Signer Certificates. 

a) In the Key database content section, select Signer Certificates. 

b) Click Add. 

You must populate your Certificate Authority Signer Certificates that ikeyman 
already knows about. 

9. Click Populate to populate your Certificate Authority Signer Certificates. 


Generating third-party certificates using command line 

Procedure 

1. Log in to the Client Enablement Services server using SSH Terminal as craft/ 
craft01 and then switch the user to root using the command su - root and 
password rootOI. 

2. When the Handset Server: 

• is Standalone, change to the Handset Server directory using the command: 

cd $HSPATH. 

• is Co-resident with the Client Enablement Services server, change to the 
Handset Server directory using the command: cd /opt/avaya/iHS. 

3. Generate a certificate request using the command: 

gen_ihs_certificate_request.pl —pw=WebAS -- 
dn =<distinquished_name> -~lahel=<certificate_label> 
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• distinquished_name\ The X.500 distinguished name. Value must be a quoted 
string in the following format: CN=common_name, (^organization, 
OU=organization_unit, L=location, ST=state, province, C=country (only CN is 
required). 

• certificatejabel : The label representing the certificate in the keystore. This 
label must be unique within the keystore. 

Renewal requests always require a unique non-default label. 

For example: . /gen_ihs_certificate_request .pi -pw WebAS -dn 
"CN=ihsmachine.example.com, OU=Organization X, 0=Example 
Inc, C=us" 

The system creates a new certificate request file certreq.arm in the /opt/IBM/ 
HTTPServer directory that has to be sent to a CAto request a certificate. 

4. After receiving back the signed certificate from that CA, put the signed certificate 
file into the IHS keystore using the command: . / 

receive_ihs_certificate.pl-pw WebAS — 

fil e=<filename_received certificate> [--ca_file 

<filesname_ca_certificate> ]—format=<ascii / binary >" 

• filename_received certificate'. The file containing the received CA signed 
certificate. 

• filesname_ca_certificate\ The CA certificate that accompanies the CA signed 
certificate. 

• ascii I binary. The format of the received certificate. 

For example: . /receive_ihs_certif icate .pl-pw WebAS — 

fil e=ca_signed_cert.txt —ca_file ca_signer_certs.txt -- 

format=ascii" 

5. If the CA includes a signer certificate or intermediate CA certificates, you must 
include these with the — ca_fiie option. 

Note: 

If there is any white space in the certificate aliases or in the distinguished name, 
the gsk7cmd fails if the IHS does not have the latest fix pack. 

6. If the third-party certificate includes several intermediary trusted CA certificates, you 
must add these certificates using the command: add_trusted_certs .pi — 
pw=<keystore_password> —f±le=<trusted certificate> -- 
label=<trusted certificate label> --format =<ascii / binary> 

• keystorejpassword'. WebAS 

• trusted certificate'. The file name of CA intermediate certificate. 
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• trusted certificate label = Label is unique alias for that certificate. All aliases in 
store have to be unique. 


Migrating the IBM HTTP Server keystore to the Handset Server 
keystore 

Once the IHS keystore contains the new CA signed certificate, then you must migrate the CA 
certificate to the Handset Server keystore. 

Procedure 

1. Migrate the certificate to the Handset Server keystore using the command: . / 

migrate_ihs_keystore_to_handset_server.pl -pw WebAS 

For example, on the Co-resident Handset Server: 

# cd /opt/avaya/IHS 

# ./migrate_ihs_keystore_to_handset_server.pi -pw WebAS 

For example, on the Standalone Handset Server: 

# cd /opt/avaya/HandsetServer 

# ./migrate_ihs_keystore_to_handset_server.pi -pw WebAS 

2. Copy the keystore. jks file from the /opt/avaya/HandsetServer directory 
to the /opt/iBM/webSphere/AppServer70/iib/ext/ directory on the Client 
Enablement Services server. 


Renewing the IBM HTTP Server certificate 

Certificates have a finite life, usually about a year. If the IHS certificate is the default, that is, 
you did not generate the third-party certificates using the GUI or command line, then the 
certificate you have is a self-signed certificate with a one-year life. 

If you received a third-party certificate, that is, you generated the third-party certificates using 
the GUI or command line; then the certificate expiry date depends on the Certificate Authority, 
which is usually a year. Before the certificate expires, you must renew the certificate by 
obtaining a new one. 

Procedure 

If you are using: 

• a third-party party certificate, you must perform the steps provided in Generating 
third-party certificates using GUI on page 76 or Generating third-party certificates 
using command line on page 77. 
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• the default self signed certificate, run the following command from the Handset 
Server directory: renew_self_signed_certif icate . pi --pw=WebAS — 
label=<certificate_label> 

certificatejabel: The label representing the certificate in the keystore. Must be 
unique within the keystore. 

For example, on the Co-resident Handset Server: 

# cd /opt/avaya/IHS 

# ./renew_self_signed_certificate.pi -pw WebAS —label=default_2 

For example, on the Standalone Handset Server: 

# cd /opt/avaya/HandsetServer 

# ./renew_self_signed_certificate.pi -pw WebAS —label=default_2 

After renewing the certificate, either through a third party CA or with a self-signed 
certificate, migrate the new certificate to the Handset Server by following the 
instructions provided in Migrating the IBM HTTP Server keystore to the Handset 
Server keystore on page 79. Check whether the label is unique. If it is not, the 

renew_self_signed_certif icate . pi command will fail. You must use a 
different label. 


Reimporting IBM HTTP Server certificates 

Whenever the IHS certificate changes, you must reimport the IHS certificate in the Client 
Enablement Services WebSphere server. You must perform this by rerunning the 

run_config_httpservers_jython.pi script. 

Procedure 

1. Log in to the Client Enablement Services server using SSH Terminal as craft/ 
craft01 and then switch the user to root using the command su - root and 
password rootOI. 

2. Change to the /opt/avaya/ixp directory using the command: cd /opt/avaya/ 

lxp 

3. Import the certificates using the command: . / 

run_config_httpservers_jython.pi 
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Converting the existing SSL certificate to the PKCS12 format 

To install a SSL certificate on the Microsoft Reverse Proxy server, you must convert the existing 
certificate on the Handset Server to the PKCS12 format. The conversion script is located in 
the following directories: 

• /opt/avaya/HandsetServer directory on the Standalone Handset Server 

• /opt/avaya/ms directory on the Co-resident Handset Server 

Procedure 

Convert the existing SSL certificate to the PKCS12 format using the command: 

•./convert_ssl_pkcsl2.pi -pw <password> -file /opt/avaya/ 
HandsetServer/keystore. jks on the Standalone Handset Server 

•./convert_ssl_pkcsl2.pi -pw <password> -file /opt/avaya/ 
iHS/keystore. jks on the Co-resident Handset Server 

where, 

-pw <password> is the keystore password. The default password is WebAS. 

-file <certificate file to be converted>. The Handset Server keystore file located in 

the /opt/avaya/HandsetServer or /opt/avaya/IHS directory. 

The system stores the certificate in the PKCS12 format in the /opt/avaya/ 
HandsetServer or /opt/avaya/IHS directory. 


Uninstalling the Standalone Handset Server and the IBM 
HTTP Server 


Uninstalling the Standalone Handset Server 

Before you begin 

If you have installed any third-party certificates like VeriSign, ensure that you back up the IHS 
keystores. The key stores are located at /opt/avaya/HandsetServer. 
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Procedure 

1. Change to the /opt/avaya/HandsetServer/_uninst directory using the 
command: cd /opt/avaya/HandsetServer/_un±nst 

2. Uninstall the Handset Server using the command: . /uninstaller .bin - 
console 


Uninstalling the Standalone IBM HTTP Server 

If the Handset Server installation fails for a reason, you must uninstall the IHS. 

Before you begin 

If you have installed any third-party certificates like VeriSign, ensure that you back up the IHS 
keystores. The key stores are located at /opt/avaya/HandsetServer. 

Procedure 

1. Change to the /opt/avaya/ins directory using the command: cd /opt/avaya/ 

IHS 

2. Uninstall the IHS using the command: . /uninstaiiins. sh 
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Chapter 5: Installing, configuring, and 

upgrading the Transcoding 
Server 


Transcoding Server checklist 

Use the following checklist to install, configure, and upgrade the Transcoding Server. As you 
ensure that a task is complete, make a check mark in the column. 


✓ 

Task 

References 

Notes 


Install Transcoding 
Server 

See Installina on oaae 84 



Perform postinstallation 
checks 

See Performina oostinstallation 
checks on oaqe 84 



Configure Transcoding 
Server 

See Transcodina Server 
confiauration on oaae 85 



Stop the Transcoding 
Server 

See StoDDina the Transcodina 
Server on oaae 85 



Start the Transcoding 
Server 

See Startinq the Transcodina 
Server on oaae 85 



Verify whether the 
Transcoding Server is 
running 

See Verifvinq whether the 
Transcodina Server is 

runnina on oaae 86 



Verify whether the 
Transcoding Service is 
able to connect and 
initialize the 

Transcoding Server 

See Verifvinq whether the 
Transcodina Service is able to 

initialize the Transcodina 

Server on paae 86 



Upgrade the 
Transcoding Server 

See Transcodina Server 
uoarade on oaae 87 
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Transcoding Server installation 

The Transcoding Server is required for the mobile client for downloading voice messages on 
the mobile device. 

Use the Transcoding Server for converting the voice message from WAV format, that is, default 
voice message format, to a format that supported by the mobile client. 

By default, the system installs the Transcoding Server with Client Enablement Services in 

the /opt/avaya/lxp/transcodingserver directory. 


Installing 

About this task 

During the installation of Client Enablement Services template, the system installs the 
Transcoding Server on the same server where you install Client Enablement Services. 

Procedure 

1. On the Transcoding Server Web page of the Client Enablement Services template 
installation, in the Transcoding Server Port field, enter the port on which the 
Transcoding Server listens for incoming connections. 

The default port is 8090. 

2. Follow the installer prompts and enter the required information from the installation 
worksheet. For more information, see Installation worksheet: information required 
by template installation on page 39. 


Performing postinstallation checks 

Procedure 

1. Log in to the Client Enablement Services server using SSFI Terminal as craft/ 
craft01 and then switch the user to root using the command su - root and 
password rootOI. 

2. Change to the /opt/avaya/ixp directory. 

3. Check whether the transcodingserver folder exists in the /opt/avaya/lxp 
directory. 
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Transcoding Server configuration 

You can update the TranscodingServer. properties file to modify the properties of the 
Transcoding Server. You can find this file in the opt/avaya/lxp/transcodingserver/ 
conf ig directory. 

This file contains the default server properties. By updating the 

TranscodingServer .properties file, you can only override the transcoding, server.port 
property. The Transcoding Server listens to the port specified in the transcoding.server.port 
property. 

You can update all the other property values in the Audio Transcoding Web page of the Client 
Enablement Services administration Web site. The port specified in the properties file must be 
same as the port specified on the Client Enablement Services administration Web site. 


Stopping the Transcoding Server 

Procedure 

1. Log in to the Client Enablement Services server using SSH Terminal as craft/ 
craft01 and then switch the user to root using the command su - root and 
password rootOI. 

2. On the shell prompt, type the service transcoding_server stop command 
to stop the Transcoding Server. 

This stops the Transcoding Server. If the server stops successfully, you will see the 
following output. 

# service transcoding_server stop 

Stopping transcoding_server: [ OK ] 


Starting the Transcoding Server 

Procedure 

1. Log in to the Client Enablement Services server using SSH Terminal as craft/ 
craft01 and then switch the user to root using the command su - root and 
password rootOI. 
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2. On the Shell prompt, type the service transcoding_server start command 
to start the Transcoding Server. 

This starts the Transcoding Server. If the server starts successfully, you will see the 
following output. 

# service transcoding_server start 

Starting transcoding_server: [ OK ] 


Verifying whether the Transcoding Server is running 

Procedure 

You can verify whether the Transcoding Server is running in the following ways: 

• At the shell command prompt, run the command: service 
transcoding_server status. The system displays the status of the 
Transcoding Server. 

• Open the lx_transcoding. log file from the /opt/avaya/lxp/ 
transcodingserver/logs directory and check for the transcoding 
server started on port XXXX message. 

Note: 

XXXX defines the port mentioned in TranscodingServer. properties 
file. 

• At the shell command prompt, run the command: ps-ef | grep 
trancodingserver. The system displays a process that runs on the 
Transcoding Server. 


Verifying whether the Transcoding Service is able to 
initialize the Transcoding Server 

Procedure 

You can verify whether the Transcoding Service is able to connect and initialize the 
Transcoding Server in the following ways: 
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• On the Monitor Audio Transcoding Services Web page of the Client Enablement 
Services administration Web site, check whether the current status of the State 
field is set to Available. 

• The Transcoding Service connects to the Transcoding Server and its state is 
Connected. 

• Open the lx_transcoding. log file in the /opt/avaya/lxp/ 

transcodingserver/logs directory and check for the following messages: 

request received for server configuration and transcoding 
server starting with following properties. 


Transcoding Server upgrade 

When you upgrade the Client Enablement Services template, the system upgrades the 
Transcoding Server. 

The default directory for the Destination of converted audio messages property on the 
Modify Audio Transcoding Web page of the Client Enablement Services administration Web 
site is /tmp/transcoding. 

Note: 

During the template upgrade, the system automatically creates the transcoding folder. If 
the system does not create the folder automatically, then you must manually create this 
folder before starting the Transcoding Server. 
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Chapter 6: Upgrading from Release 6.1 to 

Release 6.1 SP1 


Introduction 


Upgrade overview 

This chapter provides information on upgrading Client Enablement Services from Release 6.1 
to Release 6.1 SP1 on the following servers: 

• Dell R610 Server 

• HP DL360 G7 Server 

• Avaya S8800 Server 


Templates overview 

Avaya offers product-specific templates to install different products on System Platform. A 
template is a definition of a set of one or more applications that you can install on System 
Platform. Client Enablement Services provides the following templates: 

• onexps_tempiate_i6GB. ovf : If you are installing Client Enablement Services on a 
system that has 16 GB of RAM or more, you must use this template. 

• onexps_tempiate_2 4GB. ovf: If you are installing Client Enablement Services on a 
system that has 24 GB of RAM or more, you must use this template. 


Note: 

All templates have the same functionality. Select a template depending on the RAM of the 
system. 

You can install the Client Enablement Services template from one of the following locations. 
Use the option that works best in a specific customer scenario. 

• Avaya Downloads (PLDS): The template files are located in Avaya PLDS. The list 
contains all templates to which your enterprise is entitled. Each line in the list begins with 
the sold-to number so that you can select the appropriate template for the site where you 


Implementing Avaya one-X® Client Enablement Services Release 6.1 SP1 


February 2012 89 





Upgrading from Release 6.1 to Release 6.1 SP1 


are installing Client Enablement Services. Hold the mouse pointer over the selection to 
view more information about the sold-to number. The PLDS are available at http:// 
plds.avava.com . 

• HTTP: The template files are located on an http server. You can install the template files 
from the http server to several System Platform servers. You must enter the template URL 
information. 

• SP Server: The template files can be copied to the /vsp-tempiate/ directory in the 
Console Domain (cdom) of the System Platform server. 

• SP CD/DVD: The template files are located in the DVD supplied with the system or the 
DVD created onsite. 

Note: 

If you plan to install the Client Enablement Services template files from a DVD, then 
you must use a Double-Layer DVD media so that the template files fit into a single 
DVD. 

• SP USB Disk: The template files are located in a USB flash drive connected to the server. 
The format of the USB flash drive must be ext3. 

Note: 

If you plan to install the Client Enablement Services template files from a USB, then 
you must ensure that the template files fit into a single USB. 


Servers overview 

Client Enablement Services supports the following Avaya-provided hardware: 


Servers 

Notes 

Dell R610 Server 

For the server installation instructions, see 
Installing the Dell PowerEdge R610 Server. 

HP DL360 G7 Server 

For the server installation instructions, see 
Installing the HP DL360 G7 Server. 

S8800 Server 

You must install Client Enablement Services 
on your existing S8800 server after 
upgrading the S8800 server with the upgrade 
kit. 


Servers specifications 

The following table includes the hardware requirements for the servers that Client Enablement 
Services supports. 
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Hardware 

requirements 

Dell R610 

HP DL360G7 

S8800 (Upgrade 
required) 

CPU 

Dual quad-core 
processors of 2.4 

Ghz. 

Dual quad-core 
processors of 2.4 
Ghz. 

2 * 2.2 Ghz or 
higher. 

Single processor 
models are not 
supported. 

Memory 

24 GB. 

24 GB. 

16 GB. 

Requires 10 GB 
upgrade from the 6 
GB default factory 
configuration. 

Hard Drive 

4* 146 GB RAID 5. 

3 * 300 GB RAID 5. 

4* 146 GB. 

Requires 2 * 146 GB 
upgrade from the 2 * 
146 GB default 
factory configuration. 

Network Card 

100 Mbps / IGbps. 

100 Mbps / IGbps. 

100 Mbps / IGbps. 

Optical Drive 

DVD/CD 

combination drive is 
optional. 

DVD/CD 

combination drive is 
optional. 

DVD/CD 

combination drive is 
optional. 


Preupgrade requirements 

For a successful upgrade, you must perform the following functions before you begin: 

• Download all the software. 

• Ensure that there is enough space in the /vsp-tempiate/ folder. You need a minimum 
space of 6 GB for upgrade. 

Hardware requirements 

You need the following hardware to complete the upgrade process. 

• One of the following servers running Client Enablement Services Release 6.1: 

- Dell R610 Server 

- HP DL360 G7 Server 

- S8800 Server 

• Required Ethernet CAT5 cables 

Software requirements 

You must download the Client Enablement Services templates from PLDS. For more 
information, see Downloading software in PLDS on page 45. 
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Preupgrade data gathering 

You must fill data in several fields while upgrading and configuring Client Enablement Services. 
If you have the information required for these fields ahead of time, your upgrade will be faster 
and accurate. 

Before you upgrade Client Enablement Services: 

• Distribute the appropriate checklists to your network administrator. 

• Verify that your network infrastructure fulfills the hardware and software infrastructure 
prerequisites. 

To ensure that you gather all the required data before the upgrade, fill out the installation 
worksheet for upgrading Client Enablement Services. See lnstallation worksheet: information 
required by template installation on page 39. 


Upgrade checklist 

Use the following checklist to upgrade Client Enablement Services. As you complete a task, 
make a check mark in the column. 


✓ 

Task 

References 

Notes 


Download the required 
documentation. 

See Related documents on 
page 9. 



Gather preupgrade 
data. 

See Preupqrade data 
aatherinq on paqe 92. 



Download the Client 
Enablement Services 
templates from PLDS. 

See Downloadinq software in 
PLDS on paoe 45. 



Backup Client 
Enablement Services. 

See Backinq up Avava one-X 
Client Enablement Services on 

page 93. 



Upgrade Client 
Enablement Services. 

See Upqradinq the Avava one- 
X Client Enablement Services 

svstem on pace 94. 



Verify the Client 
Enablement Services 
upgrade. 

See Verifvinq the upqrade on 
page 97. 
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Perform preupgrade tasks 


✓ 

Task 

References 

Notes 


Upgrade the 

Standalone Handset 
Server. 

See UDaradina the Standalone 
Handset Server on oaqe 98. 



Verify that the IBM 

HTTP Server (IHS) is 
running. 

See Verifvina that the IBM 

HTTP Server is runnina Dost 

uoarade on oaae 99. 



Upgrade the 
Transcoding Server. 

See Transcodina Server 
uparade on paae 87. 



Configure Client 
Enablement Services. 

For more information, see 
Administering Avaya one-X® 
Client Enablement Services. 



Perform preupgrade tasks 


Backing up Avaya one-X® Client Enablement Services 

You must backup the Client Enablement Services template files and database before you start 
the upgrade. For complete information, see Chapter 9, “Template and database backup and 
restore” in Administering Avaya one-X® Client Enablement Services. 


Perform upgrade tasks 


Downloading template files 

To download and extract the Client Enablement Services template files before proceeding with 
the upgrade: 

Procedure 

1. To upgrade the template by selecting the SP Server option, download the 
following .tar files: 

• oneXCES 61 l.taraa 
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• oneXCES_61_1 .tarab 

• oneXCES_61_1 .tarac 

• oneXCES_61_1 .tarad 

• oneXCES_61_1 .tarae 

• oneXCES_61_1 .taraf 

2. Copy the above files at the /vsp-tempiate/ location on cdom. 

3. Using the SSH terminal of cdom, extract or untar the template files using the cat 
oneXCES_61_l. tara* | (tar x) command from the /vsp-template/ 
location. 

The system creates the following files in a directory labeled with the version that 
you downloaded, for example, /vsp-tempiate/6.1.1.0.23: 

•backup_onexps.sh 

•lv_rhel.img.gz 

•onexps_template.mf 

•onexps_template_24GB.ovf 

•onexps_template_l6GB.ovf 

•post_install.sh 

• preweb.war 

•restore_onexps.sh 
•patchplugin_onexps.sh 
•versioninfo_onexps.sh 

4. To verify the file checksum, use the shalsum * command. 

Compare the results with the checksum information listed in the 

onexps_template. mf file. 


Upgrading the Avaya one-X® Client Enablement Services system 

Procedure 

1. Log in to the System Platform Web Console. Use the advanced administrator login 
and password. 

2. Click Virtual Machine Management > Solution Template. 

The system displays the Search Local and Remote Template Web page. Use this 
page to select the template that you want to install on System Platform. 
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3. Select a location from the list in the Install Templates From box. 

• Select Avaya Downloads (PLDS), and in the Template Location field provide 
the PLDS URL 

• Select HTTP, and in the Template Location field provide the U RL of the HTTP 
server where the template files exist. 

• Select SP Server if the template files are copied to the /vsp-tempiate/ 
directory of the System Platform server and this option is used to upgrade the 
Client Enablement Services template. 

• Select SP CD/DVD. 

Note: 

If you plan to install the Client Enablement Services template files from a 
DVD, then you must use a Double-Layer DVD media so that the template 
files fit into a single DVD. 

• Select SP USB Disk. 

Note: 

If you plan to install the Client Enablement Services template files from a 
USB, then you must ensure that the template files fit into a single USB. 

4. Click Upgrade. 

The system displays a confirmation dialog. 

5. Click OK to continue. 

The system displays the Select Template Web page. 

6. Select the template file from the location corresponding to the RAM deployed on 
the machine, and then click Select to continue. 

The system displays the Template Details Web page with information on the 
selected template and its Virtual Machines. 

Confirm whether the template you selected is for Client Enablement Services 6.1 
SP1. 

7. Click Upgrade to start the template upgrade over the currently installed template. 
The system displays the Pre-install configuration details Web page. 

8. Click Next to continue. 

The system displays the Network Settings Web page. This page is read-only. 

To enter the required information in the template upgrade screens, see the 
installation worksheet. For more information, see Installation worksheet: 
information required by template installation on page 39. 

9. Click Next to continue. 

The system displays the one-X CES License Agreement Web page. 

10. Accept the license agreement and click Next to continue. 
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The system displays the NTP Server Details Web page. 

11. Modify the details as applicable and click Next to continue. 

The system displays the LDAP Information Web page. 

12. Modify the details in the User LDAP UserName, User LDAP Password, and 
Confirm fields, if required. 

The remaining fields are read-only. 

13. Click Next to continue. 

The system displays the LDAP Configuration Web page. This page is read-only. 

14. Click Next to continue. 

The system displays the SIP Local Web page. 

15. Modify the details as applicable and click Next to continue. 

The system displays the Handset Server/Service Web page. 

16. Modify the details as applicable and click Next to continue. 

The system displays the Transcoding Server Web page. 

17. Modify the details as applicable and click Next to continue. 

The system displays the System Manager (SMGR) Web page. 

18. Modify the details as applicable and click Next to continue. 

The system displays the WebLM Details Web page. 

You cannot modify the WebLM configuration on this page. 

Use the Client Enablement Services administration Web page to modify the WebLM 
configuration. 

19. Click Next to continue. 

The system displays the Summary Web page. 

20. Confirm the details and click Upgrade to continue with the Client Enablement 
Services template upgrade. 

The system closes the Summary Web page and the upgrade continues. Once the 
upgrade is complete, the system displays the message that the template upgrade 
completed successfully. 

Note: 

To re-harden the server once the upgrade is complete, you must manually reboot 
the Client Enablement Services server from the cdom. 

Log in to the cdom as admin/adminOi and click Virtual Machine Management 
> Manage. Select the one-X CES virtual machine and click Reboot. 
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Verifying the upgrade 

Procedure 

1. Log in to the Client Enablement Services administration client using the credentials 
provided in the template upgrade for the User LDAP UserName and User LDAP 
Password fields. 

The default Web page address is https : //<one-x ces ip or fqdn>/ 
admin, where one-X CES IP or FQDN is the IP address or the Fully Qualified 
Domain Name (FQDN) of the computer that hosts Client Enablement Services. 

For example, if the name of the computer that hosts Client Enablement Services is 
onexcES and the domain is xyzcorp. com, the Web page address for your 
administration application is https : //oneXCES . xyzcorp. com/admin/. 

2. On the administration client, check whether you can view the following tabs: Home, 
Users, Servers, Scheduler, System, and Monitors. 

3. Click the System tab. 

4. In the left pane, select General. 

The Application Server Version field displays the version of Client Enablement 
Services. If the version number matches the version of Client Enablement Services 
that you upgraded, this indicates that the system completed the upgrade 
correctly. 


Handset Server upgrade 

For upgrading the Handset Server, you do not need to uninstall the earlier installation. 

To upgrade the Handset Server on the: 

• Standalone Server: Run the latest Handset Server installer, that is, RHServer.bin. 
Follow the installation prompts to complete the installation. 

• Co-resident Server: Run the Client Enablement Services upgrade. When you upgrade 
Client Enablement Services, the system automatically upgrades the Handset Server on 
the Co-resident Server. 
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Upgrading the Standalone Handset Server 

Procedure 

1. Log in to the Handset Server using the SSH Terminal. 

2. Backup the keystore. jks file located in the /opt/avaya/HandsetServer/ 

directory on the Standalone server. 

If you have installed any third-party certificates like VeriSign, ensure that you back 
up the IHS keystores first and then restore the keystores after the installion. 

The keystores are located in the/ opt / ibm/http Server directory. 

3. Ensure that the Handset Server is not running. If the Handset Server is running, 
stop the Handset Server using the service handset_server stop 
command. 

4. Upgrade the Handset Server using the latest Handset Server installer, that is, 

RHServer. bin. 

Follow the installation prompts to complete the installation. 

5. Exit the SSH terminal and relogin using SSH on the Handset Server. 

6. Restore the keystore. jks file from your backup location. 

a) Copy the keystore . jks file to the /opt/avaya/HandsetServer 

directory. 

b) Start the Handset Server using the service handset_server start 
command. 

7. To verify that the Handset Server is running, run the service handset_server 
status command. 

• If the Handset Server is running, the system displays the Handset Server 
process. 

• If the Handset Server is not running, start the Handset Server using the 
service handset_server start command. 

Alternatively, you can verify the status of the Handset Server using the ps -ef | 
grep RoutingHandsetServer command. 

8. Restart Handset Services from the Client Enablement Services Web administration 
application. 
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Transcoding Server upgrade 


Verifying that the IBM HTTP Server is running post upgrade 

Procedure 

1. For Co-resident Flandset Server deployments: 

a) Log in to the Client Enablement Services server using the SSFI Terminal. 

b) To verify that the IHS is running, run the ps -ef | grep HandsetServer 
command. 

• If the IHS is running, the system displays the IHS process ID. 

• If the IHS is not running, start the IHS using the service ihs start 
and service ihs_admin start commands. 

2. For Standalone Flandset Server deployments: 

a) Log in to the Flandset Server machine using the SSFI Terminal. 

b) To verify that the IHS is running, run the ps -ef | grep HandsetServer 
command. 

• If the IHS is running, the system displays the IHS process ID. 

• If the IHS is not running, start the IHS using the service ihs start 
and service ihs_admin start commands. 


Transcoding Server upgrade 

When you upgrade the Client Enablement Services template, the system upgrades the 
Transcoding Server. 

The default directory for the Destination of converted audio messages property on the 
Modify Audio Transcoding Web page of the Client Enablement Services administration Web 
site is /tmp/transcoding. 

Note: 

During the template upgrade, the system automatically creates the transcoding folder. If 
the system does not create the folder automatically, then you must manually create this 
folder before starting the Transcoding Server. 
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Setting up Avaya one-X® Client Enablement Services 

To configure the Client Enablement Services system, see Administering Avaya one-)f Client 
Enablement Services. 
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Chapter 7: Troubleshooting and 

maintenance 


Troubleshooting the Avaya one-X® Client Enablement 
Services installation 

About this task 

If you encounter an issue with the Client Enablement Services installation, you must perform 
the following: 

Procedure 

1. Review the topics in this Troubleshooting section for possible resolutions to your 
problem. 

2. Retry the action. Carefully follow the instructions in the online documentation. 

3. Retrieve the log files and review all applicable error messages. 

4. If the problem occurs in a Client Enablement Services application, check the System 
Status window and check the detailed status of your system. 

5. Note the sequence of steps and events that led to the problem and the exact 
messages displayed. 

6. If possible, capture screen shots that show what happens when the issue occurs. 


Next steps 
© Tip: 

If the proposed solutions do not resolve your problem, or if you encounter an issue that is 
not included in this section, follow your corporate process to obtain support. 
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Unable to access the System Platform Web Console 

You are unable to access the System Platform Web Console. Also, when you try to ping the 
cdom, you do not get a response. 


Troubleshooting steps 

The xm list command displays information about the running virtual machines in a Linux 
screen. 

You must see only three virtual machines running at this time: System Domain shown as 
Domain-0, Client Enablement Services shown as onexps), and Console Domain shown as 

udom. 

A state of r indicates that the virtual machine is running. A state of b indicates that the virtual 
machine is blocked. 

Note: 

The blocked state does not mean that there is a problem with the virtual machine. It only 
means that the virtual machine is currently not using any CPU time. 

Other possible virtual machine states are: 

• p: paused 

• s: shutdown 

• c: crashed 

If the virtual machine is in the p, s, or c state, you will not be able to access the System Platform 
Web Console. Hence, you will not be able to ping the cdom. 

For more information, see the Installing and Configuring Avaya Aura™System Platform 
guide. 

Procedure 

1. Log in to the System Domain (Dom-0) as admin/adminoi. 

2. Enter su - to log in as root. 

3. At the prompt, type xm list. 

4. On the Linux screen, type exit to log off as root. Type exit again to log off from 
the System Domain (Dom-0). 
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Template installation fails 


5. If the state of cdom is not r or b, then you must reinstall System Platform and ensure 
that the cdom is accessible. 


Template installation fails 

The template installation can fail for any of the following reasons: 

• Checksum mismatch: The system returns this error on the initial pages during the 
installation when it cannot verify the Checksum of image files. 

• Memory allocation error: The system returns this error on the initial pages during the 
installation due to insufficient memory. The system displays the following error message: 

Insufficient resources to install this template (Insufficient 
memory. Requested 8192MB (more), available free space 6488MB). 

• Kernel mismatch: The system returns this error on the last page during the 
installation. 

• Post-install plug-in failed: The system returns this error on the last page during the 
installation or when the installation is stuck at this step. 

• The template installation plug-in is stuck at the last stage for more than an hour. 


Troubleshooting steps 

Procedure 

1. Perform one of the following steps depending on the reason for template failure: 

• If the template failure is because of Checksum mismatch, you must download 
the template files again. 

• If the template failure is because of Memory allocation error, you must check 
the available RAM on the system and then install the Client Enablement 
Services template. 

• If the template failure is because of Kernel mismatch, you must reboot the 
Dom-0. You can perform this using the System Platform Web Console. In the 
left pane, click Server Management > Server Reboot/Shutdown and then 
click Reboot. 

• If the template failure is because of failure of post-install plug-in, reboot the 
cdom using the System Platform Web Console using the procedure mentioned 
in the previous step and try the installation again. 

• If the plug-in is stuck during the installation of the template, and the in-progress 
status does not change, check if the Client Enablement Services IP address 
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is reachable using the ping command. If the ping command indicates that the 
Client Enablement Services IP address is not reachable, cancel the existing 
template installation and reboot the cdom using the System Platform Web 
Console using the procedure mentioned in the previous step and try the 
installation again. 

2. If the reason for template failure is unknown, you must perform the following: 

• Check if all the required files are downloaded 

• Check if the file permissions are correct 

• Check if the System Manager and the Client Enablement Services server are 
having the same time stamp 

• Ensure that Client Enablement Services can access System Manager 

• Ensure that the LDAP is up and running 

• Check if the LDAP service account password includes special characters such 
as $, #, {,", and -. If the password includes special characters, and you install 
the Client Enablement Services template, the template installation is stuck at 
the last stage for a long time. 


Template installed but Avaya one-X® Client Enablement 
Services does not run 

Even after installation of the template is complete, Client Enablement Services does not run 
due to the following reasons: 

• Input error 

• Unexpected syntax in input 

• Post-install plug-in failed 

• Cdom not restarted after you deleted the existing template 


Troubleshooting steps 

Procedure 

Perform the following: 

• Log in to the System Platform Web Console and ensure that the Client 
Enablement Services virtual machine is running. 
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Out-of-memory error 


• Log in to the CLI of the Client Enablement Services virtual machine as an admin 
user. If login fails, reboot the Client Enablement Services virtual machine using 
the System Platform Web Console and try logging in again. 

• Log in to the CLI of the Client Enablement Services virtual machine as a root user 
and execute the command service lxp restart. 

• Check the vsp logs in the /opt/vsp/iog directory for any failure. 

- post_instaii_conf ig. log: Logs the results of the installation 

- restore_tempiate. log: Logs results of the template restore. The 
system performs the restore after installation upgrades. 

• Check the Client Enablement Services trace log in the /opt/iBM/webSphere/ 
AppServer/prof iles /default /logs /server 1 directory. 

• If the plug-in is stuck during the installation of the template, and the in-progress 
status does not change, you must reboot the cdom using the System Platform 
Web Console and try the installation again. 

• Check if the LDAP service account password includes special characters such 
as $, #, {,", and -. If the password includes special characters, after the installation 
is complete, and you log in to the Client Enablement Services administration 
application, the system displays an error message. 

• If you are installing a new template, you must restart the cdom using the System 
Platform Web Console after you delete the existing template. 


Out-of-memory error 

If you reinstall the template by deleting and installing it multiple times, an out-of-memory space 
permanent generation (PermGen) error can occur. 

This is possible if you did not reboot the cdom using the System Platform Web Console, after 
you delete the existing template. 


Troubleshooting steps 

About this task 

Perform the troubleshooting steps given here to ensure that a PermGen error does not 
occur. 

Procedure 

1. Delete the template. 
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2. Restart Tomcat by performing the following steps: 

a) Log in to the cdom as admin/adminoi. 

b) Enter su - to log in as root. 

C) At the prompt, type /sbin/service tomcat restart 

3. Log in to the System Platform Web Console. 

4. Install the template. 


Unable to login into the Avaya one-X® Client Enablement 
Services Web administration portal 

You are unable to login into the Client Enablement Services Web administration portal or get 
a 500 internal error on log-in. 


Troubleshooting steps 

Procedure 

Perform the following: 

• Ensure that the LDAP server is connected and running 

• Ensure that the user name and password are correct 

• Ensure that the user name is part of the Administrator Security Group 

• Ensure that the database is running 

- If the database is not running, login into the CLI of the Client Enablement 
Services server as root user. 

- Switch to dbinst user using the command su - dbinst 

- Run the command db2start 

- Switch to the root user and restart WAS by using the command service 
lxp restart 
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User is unable to login into the Avaya one-X® Mobile client 


User is unable to login into the Avaya one-X® Mobile client 

You have installed the Handset Server; however, the user is unable to login into the Avaya 
one-X® Mobile client. 


Troubleshooting steps 

Procedure 

1. Log in to the CLI of the server on which you have installed the Handset Server. 

2. Check the handset_server. properties file in the /opt/avaya/ 

HandsetServer directory to ensure all the values are correct. 

3. Check if the Handset Server is running using the command: ps -ef | grep 

HandsetServer. 

• If the Handset Server is not running, start the Handset Server using the 
command: service handset_server start. 

• If the Handset Server is running, restart the Handset Server using the 
command: service handset_server restart. Restart the Handset 
Service from the Client Enablement Services administration client using the 
Monitors tab and then update the user to login into the Avaya one-X® Mobile 
client. 

4. If the user is still unable to login, perform the following: 

a) Kill the currently running Handset Server process using the command Kill -9 
<PID>. 

b) Start the Handset Server. 

c) Restart the Handset Service from the Client Enablement Services 
administration client using the Monitors tab and then update the user to login 
into the Avaya one-X® Mobile client. 


Transcoding Service is unable to connect to the 
Transcoding Server 

On the Monitor Audio Transcoding Services Web page of the Client Enablement Services 
administration Web site, check whether the status of the State field is set to Unavailable. 
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This indicates that the Transcoding Service is not able to connect to the Transcoding Server 
or there is some issue in the Transcoding Server configuration. 


Troubleshooting steps 

Procedure 

Perform the following: 

• Check whether the Transcoding Server is running as mentioned in Verifying 
whether the Transcoding Server is running on page 86. 

• Open the TranscodingServer .properties file from the opt/avaya/lxp/ 
transcodingserver/conf ig directory. Ensure that the value of the 
transcoding.server.port property is same as the value specified in the 
Transcoding Server Address: Port field on the Modify Audio Transcoding Web 
page of the Client Enablement Services administration Web site. 

• Check whether the system creates the /tmp/transcoding directory for the 
Destination of converted audio messages property on the Modify Audio 
Transcoding Web page of the Client Enablement Services administration Web 
site. This directory must be present on the server. 

• Check the host IP address at Servers > Audio Transcoding > Transcoding 
Server Address. By default, the address is same as the loopback IP address. 
The Transcoding Server can function on both the loopback and the Client 
Enablement Services IP address. 


Secure SSL connection between servers fails 

If you do not synchronize the time stamps, the secure SSL connection between the servers 
fails. 

Time synchronization ensures that time stamps for all integrated systems are consistent. 


Troubleshooting steps 

Procedure 

1. Log in to the cdom and the Client Enablement Services systems using SSH Terminal 
as craft/craftoi and then switch the user to root using the command su - 
root and password rootOI. 
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Trace errors using log files 


2. Check the date on both the systems using the command: date 

If the time zone differs, you must use NTP for both cdom and Client Enablement 
Services to correct this mismatch. 


Trace errors using log files 

This topic lists the log files that you can use to trace errors during the troubleshooting 
process. 

Console domain log files 

• Log files in the /var/iog/vsp directory 

• Files in the /vspdata/template/onexps_template directory 

Client Enablement Services domain log files 

• Log files in the /opt/vsp/iog directory 

• IBM log files in the /opt/IBM/WebSphere/AppServer/prof iles/default/logs/ 
serveri directory 

Client Enablement Services domain files that are updated during the template 
installation 

•/opt/avaya/lxp/AcpInstallationConfig. sql 

• /opt/avaya/lxp/AcpInstallationWebLM.sql 

• /opt/avaya/lxp/config.properties 

• /opt/avaya/lxp/installapps.py 

• /opt/avaya/lxp/SIP_local_update.sql 

•/opt/avaya/HandsetServer/handset_server.properties 

Handset Server log files 

The Handset Server log files are located in the /opt/avaya/HandsetServer/iogs 
directory. 

• To check all logs, view the hs. log file. 

• To check only the error information, view the hs_errors. log file. 

• To check only the I/O logging information, view the hs_io. log file. 

To view the properties for the Handset Server log files, check the iog4 j. properties file 
located in the /opt/avaya/HandsetServer directory. 
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Commands for use in Avaya one-X® Client Enablement 
Services 


• To start the Client Enablement Services server, on the shell prompt, type the service 
lxp start command. 

• To stop the Client Enablement Services server, on the shell prompt, type the service 
lxp stop command. The system prompts you to enter your user name and password 
when it tries to stop the server. 

• To restart the Client Enablement Services server, on the shell prompt, type the service 
lxp restart command. The system prompts you to enter your user name and 
password when it tries to stop the server. 

• If you tail to access the https://<one-x ces ip or fqdn >/mobileapps page from 
Avaya one-X® Mobile or a browser, you must check the access_iog file using the 
Command: tail -f /opt/IBM/HTTPServer/logs/access_log. 


Enabling VNC server for maintenance 

Before you begin 

You must stop or configure the firewall (iptables) to allow VNC access. If the iptables are 
running or not configured to allow a VNC connection, you cannot access using VNC. 

Procedure 

1. Log in to the Client Enablement Services server using SSH Terminal as craft/ 
craft01 and then switch the user to root using the command su - root and 
password rootOI. 

2. Start the VNC server using the command: vncserver 

Note: 

When you run this command for the first time, you must set a password. 

a) To allow access to the desktop, you must edit the xstartup file. This file is 
located in the user's home directory in the -/. vnc/xstartup path. 
Uncomment the following lines, that is, remove the # sign: 

•lunset SESSION_MANAGER 

•texec /etc/Xll/xinit/xinitrc 

b) To change the password for access, type vncpasswd 
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Enabling VNC server for maintenance 

3. Stop the VNC server using the command: vncserver -kill :l 
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Appendix A: Port usage 


Server 

Network / 
Application 
Protocol 

Destination 

Port(s) 

Source Port(s) 

Comments 

Modular 

Messaging/Avaya 
Aura® Messaging 

TCP/SMTP 

25 

1024-65535 

SMTP for sending 
e-mail and SMS 

SSL/SMTP 

465 

1024-65535 

SMTP for sending 
e-mail and SMS 


SSL/IMAP4 

993 

1024-65535 

IMAP for retrieving 
voicemails and 
faxes for display, 
and audio 
playback for user 


TCP/LDAP 

389 or 636 

1024-65535 

LDAP for Modular 
Messaging/Avaya 
Aura® Messaging 

Conferencing 

TCP 

2002 

1024-65535 

Protocol for 
communicating 
with Meeting 
Exchange 


TCP / BCAPI 

5040 with auto¬ 
increment 

1024-65535 

BCAPI Protocol for 
communicating 
with Meeting 
Exchange 


UDP/BCAPI 

5040 with auto¬ 
increment 

1024-65535 

BCAPI Protocol for 
communicating 
with Meeting 
Exchange 

Presence Services 

SIP over MLTS 

5061 (SIP) 

9072(LPS 
Consumer Port) 
9070(LPS 

Supplier Port) 

2009 (RMI) 

1024-65535 

Presence updates 
for a contact 

WebLM 

SSL/HTTP 

If the WebLM is 
local, the port is 
8443. 

1024-65535 

Communication 
with Avaya 
Licensing 
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Port usage 


Server 

Network / 
Application 
Protocol 

Destination 

Port(s) 

Source Port(s) 

Comments 



If WebLM is on 
System Manager, 
the port is 52233. 



Enterprise 

Directory 

TCP/LDAP 

389 

1024-65535 

Enterprise 
contacts and 
security group 
information 

SSL/LDAP 

636 

1024-65535 

Enterprise 
contacts and 
security group 
information 

Client Enablement 
Services 
Administration 
Client 

SSL/HTTP 

443 and 9443 

1024-65535 

Communication 

with 

Administration 

Client 

Command Line 
Interface (CLI) 

SSH 

22 

1024-65535 

Open from inside 
Corporate firewall 
to HTTP Server 

Management 

Nodes 

SNMP 

162 

1024-65535 

SNMP Traps 

System Manager 

SCEP 

443 

1024-65535 

Communication 
with System 
Manager for trust 
management 

Client Enablement 
Services 

xSocket using SSL 
v3 

8888 

(configurable) 

1024-65535 

Open from 

Handset Server to 
Client Enablement 
Services 

Handset Server 

xSocket using SSL 
v3 

7777 

(configurable) 

1024-65535 

Open from Public 
Internet to 

Handset Server 

Handset Device 

SSL/HTTP 

443 

1024-65535 

Download mobile 
binaries package 

Session Manager 
or Communication 
Manager 

SIP 

5060 or 5061 

1024-65535 

Communication 
with Session 
Manager or 
Communication 
Manager 
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Appendix B: LDAP Information field 

descriptions 


Property Name 

Property values 

Notes 


Example value 

Your value 


LDAP information 




LDAP Type: Active Directory (Single Domain) 


LDAP Host 

###.###.###.### 


IP address of the computer that hosts 
the Enterprise Directory server. 

The host value can also be the 

FQDN. 

LDAP Port 

389 


Port that the Client Enablement 
Services computer will use to 
communicate with the Enterprise 
Directory server. 

Note: 

You must install the Client 
Enablement Services template 
over the non-secure port (389) for 
LDAP connection. If you want to 
establish a secure connection, this 
can be done later using the Client 
Enablement Services 
administration client. For more 
information, see the Appendices in 
this document. 

LDAP Domain 

users, domain, xyz 
corp.com 


Fully qualified domain name 
configured on the Enterprise Directory 
server. 

LDAP UserName 

admin_service_u 

ser 


Enterprise Directory user that you 
created for the Client Enablement 
Services administrative service 
account. 

Note: 

The user must be a member of the 
Client Enablement Services 
administrator's security group 
created for this install. Client 
Enablement Services uses this 
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LDAP Information field descriptions 


Property Name 

Property values 

Notes 


Example value 

Your value 





user for assigning permissions to 
users for performing administrative 
tasks. 

LDAP Password 



Password for the Client Enablement 
Services administrative service 
account. 

Confirm 



Confirm password for the Client 
Enablement Services administrative 
service account. 

LDAP Type: SUN Directory Server Enterprise Edition 

LDAP Host 



IP address of the computer that hosts 
the Enterprise Directory server. 

The host value can also be the 

FQDN. 

LDAP Port 

389 


Port that the Client Enablement 
Services computer will use to 
communicate with the LDAP server. 




Note: 

You must install the Client 
Enablement Services template 
over the non-secure port (389) for 
LDAP connection. If you want to 
establish a secure connection, this 
can be done later using the Client 
Enablement Services 
administration client. For more 
information, see the Appendices in 
this document. 

Base Domain Name 

dc=Avaya,dc=co 

m 


The base domain name. 

Bind Domain Name 

uid=admin,ou=P 

eople,dc=Avaya 

,dc=com 


The bind domain name. 

Note: 

The user must be a member of the 
Client Enablement Services 
administrator's security group 
created for this install. Client 
Enablement Services uses this 
user for assigning permissions to 
users for performing administrative 
tasks. 

LDAP Password 



Password for the Client Enablement 
Services administrative service 
account. 
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Property Name 

Property values 

Notes 

Example value 

Your value 

Confirm 



Confirm password for the Client 
Enablement Services administrative 
service account. 

LDAP Type: IBM Domino Server and Novell eDirectory 

LDAP Host 

###.###.###.### 


IP address of the computer that hosts 
the Enterprise Directory server. 

The host value can also be the 

FQDN. 

LDAP Port 

389 


Port that the Client Enablement 
Services computer will use to 
communicate with the LDAP server. 

Note: 

You must install the Client 
Enablement Services template 
over the non-secure port (389) for 
LDAP connection. If you want to 
establish a secure connection, this 
can be done later using the Client 
Enablement Services 
administration client. For more 
information, see the Appendices in 
this document. 

Bind Domain Name 

cn=admin,o=Ava 

ya 


The bind domain name. 

Note: 

The user must be a member of the 
Client Enablement Services 
administrator's security group 
created for this install. Client 
Enablement Services uses this 
user for assigning permissions to 
users for performing administrative 
tasks. 

LDAP Password 



Password for the Client Enablement 
Services administrative service 
account. 

Confirm 



Confirm password for the Client 
Enablement Services administrative 
service account. 

LDAP Configuration 

SUN Directory Server 
Enterprise Edition 

Admin Group 

cn=oneXCESAd 

min,cn=users,dc 

=groups,dc=dom 


The template installation uses the 
administrator security group to assign 
permissions to users who will 
administer Client Enablement 
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LDAP Information field descriptions 


Property Name 

Property values 

Notes 

Example value 

Your value 

IBM Domino Server 

Admin Group 

ain,dc=xyzcorp,d 

c=com 


Services in the Administration 
application. 

Novell eDirectory Admin 
Group 


SUN Directory Server 
Enterprise Edition Audit 
Group 

cn=oneXCESAud 

it,cn=users,dc=gr 

oups,dc=domain 

,dc=xyzcorp,dc=c 

om 


The template installation uses the 
auditor security group to assign 
permissions to users who will have 
read-only access to the Client 
Enablement Services configuration in 
the Administration application. 

IBM Domino Server 

Audit Group 


Novell eDirectory Audit 
Group 


SUN Directory Server 
Enterprise Edition User 
Group 

cn=oneXCESUse 

r,cn=users,dc=gr 

oups,dc=domain 

,dc=xyzcorp,dc=c 

om 


The template installation uses the 
user security group to assign 
permissions to users who will access 
the Client Enablement Services 
application. 

IBM Domino Server User 
Group 


Novell eDirectory User 
Group 
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Appendix C: Configuring Microsoft Active 

Directory 


LDAP over SSL configuration 

You can configure Client Enablement Services communication with Active Directory using 
Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL), also known 
as LDAPS, using the procedures described in this section. The configuration involves the 
following steps: 

1. Configuring Active Directory SSL 

2. Configuring WebSphere 

3. Configuring Client Enablement Services for LDAPS 

Prerequisite 

Install Client Enablement Services using LDAP and then configure WebSphere with the Active 
Directory certificate authority (CA) to communicate using SSL. 


Configuring Active Directory SSL 

If you have not configured Active Directory to use SSL, you must perform the following. 

Before you begin 

• Install Certificate Authority (CA) on a Windows 2003 server or on a Windows 2008 
server. 

• Active Directory must be present on a Windows 2003 server or on a Windows 2008 
server. 

About this task 

Use the following steps to configure Active Directory to enable communication-using SSL. 

Procedure 

1. Obtain a root certificate using the following steps: 
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a) Open certificate authority Web page in your browser using the http://<CA- 
server>/certsrv link. 

b) When the system prompts you for a user service and a password, use an 
account with Administrator privileges on the CA server. 

c) Click Download a CA certificate, certificate chain, or CRL link. 

d) Select Base-64 and then click Download CA certificate. 

e) Use download function of your browser to save the certificate as a file with a .cer 
extension. 

Note: 

All root certificates from the same certificate authority are functionally the 
same. You can download a certificate once and use it repeatedly until it 
expires. 

2. Open the certificate manager using the following steps: 

a) Click Start > Run on your desktop and type mmc in the Run window. 

b) On Microsoft Management Console, click File > Add/Remove Snap-in. 

This displays the Add/Remove Snap-in window. 

c) On Add/Remove Snap-in window, select the Standalone tab and click Add. 
This displays the Add Standalone Snap-in window. 

d) Select certificates from the Add Standalone Snap-in window and click Add. 

e) Select a computer account and click Next. 

f) Select a local computer and click Finish. 

g) Click Close on the Add Standalone Snap-in window. 

h) Click OK on the Add/Remove Snap-in window 

3. Install the root certificate for the Certificate Authority using the following steps on 
the Microsoft Management Console: 

a) On the left pane, open the Certificates (Local Computer)\Trusted 
Root Certificate Authorities\Certificates folder. 

b) Click Action > Tasks > Import. 

c) On the Certificate Import wizard, click Next. 

d) Click Browse, select the root certificate file, and click Open > Next. 

e) Click Next. 

f) Select Place all certificates in the following store. 

g) Click Browse, select Trusted Root Certificate Authorities, and click OK. 

h) Click Next. 

i) Click Finish. 

j) On the right pane, select the new certificate you just imported. 

k) Click Action > Properties. 

l) Enter a name that identifies the CA. 

m) Click OK. 

4. Generate a policy file for the Domain Controller on the DC machine using the 
following steps: 
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a) Obtain a copy of the reqdccert.vbs script. This is available on the Web at several 
locations. 

b) From the command prompt, run the reqdccert.vbs script. 

c) Verify if the system creates the following files: 

•<dc-name>.inf 
• <dc-name>-req.bat 
•<dc-name>-vfy.bat 

5. Edit <dc-name> . inf with a text editor using the following steps: 

a) Under the line that says [NewRequest], add a line: 

Subject="CN=<dc-fqdn>" 

where, <dc-fqdn> is the fully qualified domain name (FQDN) of the DC. You can 
view the FQDN of the DC from Start > Control Panel > System > Computer 
Name, where it is displayed as Full Computer name. Do not forget to add the 
prefix cn= and put the whole subject in quotes. 

b) Delete the line that says Critical=2.5.29.17. WebSphere does not recognize 
this extension. 

c) Save the file. 

6. Create the certificate request on the Domain Controller using the following steps: 

a) Open the directory where the <dc-name>. inf is located and run the 
command: 

certreq —new <dc-name>.inf <dc-name>.req 

b) Copy the <dc-name> . req and <dc-name>-req. bat files to the CA 
machine. 

7. Create the domain controller certificate using the following steps: 

a) . Open the command prompt, and go to the directory where the system copied 
the files. 

b) Run the BAT file<dc-name>-req. 

c) When prompted, select the CA and click OK. The script prompts you to save 

the <dc-name>.cer file. 

Note: 

In Window Server 2008, if you get an error at this step, you can use the 
certificate request file <dc-name. req> to request a certificate from the CA, 
and obtain a certificate file <dc-name.cer> directly. 

d) Log on to the CA, and open the Certification Authority application from Start > 
Administrative Tools > Certification Authority. 

e) Open the Pending Requests folder. 

f) Accept the request for <dc-name>. 

g) Open the Issued Certificates folder. 

h) Open the new certificate. 
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i) Click the Detail tab and click Copy to file. 

j) Select a Base-64 . cer file and export it. 

8. Install the Domain Controller Certificate on the Domain Controller using the 
following steps: 

a) Copy the .cer file from CA to the DC machine. 

b) In the directory where the <dc-name>. cer file is located, run the command: 

certreq -accept <dc-name>.cer 

c) Open the certificate manager for the local system as described in step 2. 

d) In the left pane, open the Certificates folder from the <iocai drive> 
\Personai\Certif icates folder and make sure the certificate is installed. 

e) (Optional) Rename the certificate. For example, Enable LDAPS. 

f) Reboot the Domain Controller. 


Configuring WebSphere 

About this task 

After configuring the Active Directory for LDPS, use the IBM WebSphere console to configure 
WebSphere. To configure WebSphere: 

Procedure 

1. Log on to the IBM WebSphere console using the Client Enablement Services 
administrative credentials. The address for the IBM administrative console is 

https://<oneXCESMachine>:9043/ibm/console. 

2. Under the Security section, click the SSL certificate and key management link. 

3. On the SSL certificate and key management page, go to Key stores and 
certificates > NodeDefault > Signer certificates, and click Retrieve from port. 

4. Enter the Host, Port and Alias information. The Host is the IP Address of your DC 
machine, and the port is the port for the LDAPS service. Port 636 is the default 
port. 

5. Click Retrieve signer information. 

6. Click OK and save the configuration. 

7. Use the IBM console to verify the connection with the LDAP server. This test does 
not use Client Enablement Services code, so it is a good validation for the 
environment setup. To perform validation on the IBM console: 

a) Click Security > Secure administration, applications, and infrastructure. 
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b) If your system is already set up to talk to a single AD environment, the Available 
realm definitions field must be set to Standalone LDAP registry. 

c) Click Configure. 

d) Configure the parameters for your Active Directory. If the system is configured 
to communicate with Active Directory, change the Port to 63 6 and the SSL 
Settings to enable SSL. 

e) Click Test connection. If the test is successful, the system displays the 
following message: 

<LDAP IP Address> on port 636 was successful 

Note: 

If the test is not successful, you must take a corrective action based on the 
error message. 

f) Log out of the IBM Console. 

© Important: 

Do not change the configuration here, since changing the configuration on 
Client Enablement Services also changes this configuration. Do not save the 
connection at WAS. 


Configuring Avaya one-X® Client Enablement Services for 
LDAPS 

Procedure 

1. Log on to Client Enablement Services administration client: https: / / 
<oneXCESServer>:9443/admin. 

2. Open the System tab and click Enterprise Directory. 

3. Select the domain for which you must set the LDAPS configuration. 

4. Change Port value to 63 6 and the select Secure Port. 

5. Save the configuration. 

6. Restart Client Enablement Services. 
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Appendix D: Configuring Novell eDirectory 


Avaya one-X® Client Enablement Services and Novell 
eDirectory setup over SSL 

This section describes the steps to configure Client Enablement Services communication with 
Novell eDirectory using LDAP over SSL. You must have simultaneous access to WebSphere 
and Novell iManager utility to create, exchange, and configure server certificates. 

Prerequisites 

Install the following utilities on the system that you want to use to administer Novell eDirectory: 

• Novell iManager. To administer Novell eDirectory. 

• Certificate Manager add-in. To obtain the Novell Certificate Server configurable from 
Novell iManager. 

• LDAP plug-in. To administer LDAP Server from Novell iManager. 

Perform the following steps to configure Client Enablement Services and Novell eDirectory 
setup over SSL. 


Creating a trusted root container on iManager 

About this task 

Open the iManager utility in your browser and perform the following steps. 

Procedure 

1 . Click Novell Certificate Server > Create Trusted Root Container. 

2. Specify a container name of your choice in the Container field. 

3. Click Object selector and set Context as Security. 

4. Click OK. 
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Exporting Novell CA self-signed certificate as a DER file 

About this task 
© Important: 

Do not export the private key when you export. 

Procedure 

1 . On iManager, click Novell Certificate Server > Configure Certificate Authority. 

2. On the Certificates tab, select Self Signed Certificate and click Export. 

3. Clear the Export private key check box. 

4. Select the DER format and click Next. 

5. Save the file. 


Adding the self-signed certificate as a trusted root 

Before you begin 

First export the self-signed certificate as a DER file. For more information, see Exporting Novell 
CA self-signed certificate as a DER file on page 126 

Procedure 

1 . On iManager, click Novell Certificate Server > Create Trusted Root. 

2. Enter a name for the trusted root. 

3. Select <trusted root container>. Security file that you exported in the 
previous step. 
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Exporting WebSphere certificate from Avaya one-X® Client Enablement Services server and importing into Novell 


Exporting WebSphere certificate from Avaya one-X® Client 
Enablement Services server and importing into Novell 

Procedure 

1. In WebSphere Web console, click Security > SSL certificate and key 
management > Key stores and certificate. 

2. On the Key stores and Certificates page, click NodeDefaultKeyStore > Personal 
Certificates links. 

3. Select the default certificate, and click Extract. 

4. Save the certificate as a DER file on the Client Enablement Services file system, 
and transfer that file to the machine where you installed iManager. 


Adding WebSphere certificate as a trusted root on Novell 
eDirectory 

Procedure 

1 . On iManager, click Novell Certificate Server > Create Trusted Root links. 

2. Enter a name for the trusted root. 

3. Select Security container as created in previous steps. 

4. Browse and select the DER file that you received from WebSphere. 

5. Configure the LDAP Server Connection using the following steps: 

a) Set the Client Certificate = Requested, and the Trusted Root Containers = 

<trusted root container>.Security. 

b) Click Save and then Refresh. 
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Importing Novell CA certificate into WebSphere 

Procedure 


1 . In WebSphere Web console, click Security > SSL Certificate and key 
management > Key stores and certificates > NodeDefauItTrustStore > Signer 
certificates. 

2. Select the certificate and click Retrieve from port. 

3. Enter the Novell eDirectory IP Address in Host and SSL LDAP port (usually 636) 
in Port fields. Do not save the configuration yet. Use the Client Enablement Services 
administration user interface to save this configuration as described in step 8. 

4. In the WebSphere Web console, select Security > Secure administration, 
applications, and infrastructure. 

5. Make sure you select the Standalone LDAP registry, and click Configure. 

6. Change the Port to be the SSL LDAP port (usually 63 6 ). 

7. Select the SSL Enabled check box to enable SSL and click Test connection. 



Do not click Apply or Save at this step. 

8. Log on to the Client Enablement Services administration client. 

9. On the System tab, select Enterprise Directory. 

10. Select the Novell eDirectory domain, and change the configuration to use the SSL 
LDAP port. 

11. Select the Secure Port check box. 

12. Save the configuration and restart WebSphere. 
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Appendix E: Configuring SUN Directory 

Server Enterprise Edition 


Avaya one-X® Client Enablement Services and SUN 
directory setup over SSL 

You must use your own certificate authority to enable SSL on a SUN directory server, since 
SUN directory does not have an integrated Certificate Authority (CA). You must have a custom 
Certificate Authority environment, and it is out of the scope of this document to describe the 
details for any particular environment. 

This section describes how to configure Client Enablement Services communication with SUN 
directory using LDAP over SSL. 

Note: 

In the SUN directory server, in the Client Control Settings, the default Size Limit is 2000 and 
the default Lookthrough Limit is 5000. These limits restrict the total number of records 
processed using LDAP queries and the total number of records visible by the Client 
Enablement Services server synchronization. Set these limits greater than the total number 
of user records you want to import to Client Enablement Services server. 


Requesting the certificate using the console 

About this task 

You must create the request for server certificate from the SUN directory, process the request 
for server certificate on CA, and then get the certificate back from CA. 

Procedure 

1 . On the SUN Directory Service Control Center, click Directory Servers >Servers. 

2. From the list of Directory Servers, select a server. 

3. Click Security > Certificates. 

4. Click Request CA-Signed. 
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5. On the Request CA-Signed Certificate section, enter the following information: 


Field 

Description 

Common Name 

Fully qualified host name of the 
Directory Server as it is used in DNS 
lookups. 

Organization 

The legal name of your company or 
institution. Most CAs require you to 
verify this information with legal 
documents such as a copy of a 
business license. 

Organizational Unit (optional) 

Descriptive name for your division or 
business unit within the company. 

City/Locality (optional) 

Name of your city. 

State/Province 

Name of your state or province. 

Country 

Two-character abbreviation for your 
country name in ISO format. The 
country code for the United States is 
US. For a list of ISO country codes, see 
Appendix C: Directory 
Internationalization in the Sun Directory 
Server Reference Manual. 


Click OK to proceed to the next page. 

6. Enter the password of your security device, and then click Next. This is the 
password set in Creating a Certificate Database. 

7. Select Copy to Clipboard or click Save to File to save the certificate request 
information in a text file that you must send to the Certificate Authority. 


Installing the server certificate 

Procedure 

1. Send the server certificate request information to your Certificate Authority, 
according to prescribed procedures. 

For example, the CA will ask you to send the certificate request in an e-mail, or you 
will be able to enter the request through the CA Website. 

2. Wait for the CAto respond with your certificate. 
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Response time for your request varies. For example, if your CA is internal to your 
company, it will only take a day or two to respond to your request. If your selected 
CA is external to your company, the response time can be longer. 

3. When CA sends a response, save the information in a text file. 

The PKCS #11 certificate in PEM format appears similar to the example. 


Example 

BEGIN CERTIFICATE 

MIIC j CCAZugAwIBAgICCEEwDQYJKoZIhKqvcNAQFBQAwfDELMAkGAlUEBhMCVVMx 
IzAhBgNVBAoGlBhbG9a2FWaWxsZGwSBXaWRnZXRzLCBJbmMuMROwGwYDVQQLExRX 
aWRnZXQgTW3FrZXJzICdSJyBVczEpMCcGAxlUEAxgVGVzdCBUXNOIFRlc3QgVGVz 
dCBUZXNOIFlc3QgQOEswHhcNOTgwMzEyMDIzMzUWhcNOTgwMzI2MDIzMpzU3WjBP 
MQswCYDDVQQGEwJVUzEoMCYGAlUEChMfTmV0c2NhcGUgRGlyZN0b3J5VIFBlYmxp 
Y2F0aW9uczEWMB4QGAlUEAxMNZHVgh4 9dq2tLNvbj TBaMAOGCSqGSIb3DQEBAQUA 
AOkAMEYkCQCksMR/aLGdfp4mOOiGgij G5KgOsyRNvwGYW7kfW+8mmijDt ZaRjYN j 
j cgpF3VnlbxbclX9LVjjNLC57 37XZdAgEDozYwpNDARBglghkgBhvhCEAQEEBAMC 
APAwHkwYDVRO jBBgwFAU67URjwCaGqZHUpSpdLxlzwJKiMwDQYJKoZIhQvcNAQEF 
BQADgYEAJ+BfVem3vBOPBveNdLGf jlb9hucgmaMcQa9FA/db8qimKT/ue 9UGOJqL 
bwbMKBBopsDn5 6p2yV3PLIsBgrcuSoBCuFFnxBnqSiTS7YiYgCWqWaUAOExJFmD 6 
6hBLseqkSWulk+hXHN7L/NrViO+7 zNtKcaZLIFP f7d7 j 2MgX4Bo= 

END CERTIFICATE 

Next steps 

You must back up the certificate data in a safe location. If your system ever loses the certificate 
data, you can reinstall the certificate using your backup file. Once you have your server 
certificate, you are ready to install it in the certificate database of your server. 


Installing server certificate using the console 

Procedure 

1 . On the SUN Directory Service Control Center, click Directory Servers >Servers. 

2. From the list of Directory Servers, select a server. 

3. Click Security > Certificates. 

4. On the Add Certificate page, enter a name of the certificate in the Certificate Name 
field and copy the text from the CA certificate received in the Certificate field. 

5. Click OK. 

6. Verify the certificate by providing the password that protects the private key. Use 
the same password that you provided for Creating a Certificate Database. 
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7. Click Done to close the wizard. 

Your new certificate must appear in the list on the Server Certs tab. Your server is 
now ready for SSL activation. 

8. Reboot the Directory Server. 


Trusting the Certificate Authority using the console 

About this task 

After securing the CA certificate, you can use the Certificate Install Wizard to configure the 
Directory Server to trust the Certificate Authority. 

Procedure 

1. Perform one of the following steps to begin: 

• On the Tasks tab of the Directory Server console, click Manage 
Certificates. 

• On the top-level Tasks tab of the Directory Server console, select the Manage 
Certificates from the Console > Security menu. 

This displays the Manage Certificates window. 

2. On Manage Certificates window, select the CA Certs tab and click Install. This 
opens the Certificate Install Wizard window. 

3. Perform one of the following steps to submit the certificate: 

• If you saved the certificate to a file, enter the path in the field provided and click 

Next. 

• If you received the certificate through e-mail, copy and paste the certificate 
including the headers into the text field provided and click Next. 

4. Verify that the certificate information displayed is correct for your CA and then click 

Next. 

5. Specify the certificate name, and then click Next. 

6. Select the purpose of trusting this CA from the following choices. You can select 
one or both depending on your corporate requirement and policy: 

• Accepting connections from clients (Client Authentication). Select this 
check box if your LDAP clients perform certificate-based client authentication 
by presenting certificates issued by this CA. 
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• Accepting connections to other servers (Server Authentication). Select 
this check box if your server functions in a replication supplier role over SSL 
with another server that has a certificate issued by this CA. 

7. Click Done to close the wizard. 


Activating SSL on SUN Directory Server 

About this task 

Activate SSL on SUN Directory Server and configure SSL to use the new server certificate. 
The following procedure activates SSL communications and enables encryption mechanisms 
in the directory server: 

Procedure 

1 . On the top-level Configuration tab of the Directory Server console, select the root 
node with the server name, and then select the Encryption tab in the right panel. 
The Encryption tab displays the current server encryption settings. 

2. Select the Enable SSL for this Server check box to enable encryption. 

3. Select Use this Cipher Family check box. 

4. Select the certificate that you want to use from the drop-down menu. 

5. Click Cipher Settings and select the ciphers you want to use in the Cipher 
Preference dialog. 

6. Set your preferences for client authentication. Select one of the following 
preferences: 

• Allow client authentication. This is the default setting. With this option, 
authentication is performed on the clients request. 

• Use SSL in SUN Server Console. Select this option if you want the console 
to use SSL when communicating with Directory Server. 

7. Click Save or set the secure port you want the server to use for SSL communications 
in both LDAP and DSML-over-HTTP protocols. 

Note: 

All connections to the secure port must use SSL regardless of whether you 
configure the secure port. After you activate SSL, clients can use the Start TLS 
operation to perform SSL encryption over the non-secure port. 

8. Restart the directory server. 
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Adding server certificate in WebSphere 

About this task 

To import the SUN Directory Server certificate into WebSphere: 

Procedure 

1. Go to the WebSphere (WAS) console by using the https://<onexp server ip>:9043/ 
ibm/console link. 

2. In WebSphere Web console, select Security > SSL Certificate and key 
management > Key stores and certificates > Node Default Trust Store > Signer 
certificate. 

3. Select Retrieve from port. 

4. Specify the SUN Directory Server IP address and SSL LDAP port (usually 636). 

5. Enter an Alias for the certificate. For example, sunonecert. 

6. Click Retrieve Signer information. 

7. Click OK. 

© Important: 

Do not save the connection here. Use Client Enablement Services administration 
application to save the configuration. 


Testing connection from WebSphere to SUN Directory 
Server 

About this task 

Test the LDAP connection to see if it works but do not save it. Use Client Enablement Services 
administration Ul to save this configuration. 

Procedure 

1 . In the WebSphere Web console, select Security > Secure administration, 
applications, and infrastructure and select the Standalone LDAP registry check 
box. 
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2. Click Configure. 

3. Change the port to make it an SSL LDAP port (usually 636). 

4. Select SSL enabled check box to enable SSL. 

5. Click Test Connection. The system must return a success message. 


Changing Avaya one-X® Client Enablement Services 
configuration for secure connection 

Procedure 

1. Log in to the Client Enablement Services administration client. 

2. Select System tab and click Enterprise Directory. 

3. Choose the SUN Directory Server domain, and change the configuration to use the 
SSL LDAP port. 

4. Select the Secure Port check box. 

5. Save the configuration and restart WebSphere. 
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Appendix F: Configuring IBM Domino 

Server 


Avaya one-X® Client Enablement Services and Domino 
directory setup over SSL 

You must use your Certificate Authority (CA) to enable SSL on a Domino directory since 
Domino does not have an integrated CA. You can have a custom CA environment, but it is out 
of the scope of this document to describe the details for a particular environment. This section 
describes how to configure Client Enablement Services to enable communication with the 
Domino directory using LDAP over SSL. 


Registering an Internet certifier 

Procedure 

1. Launch the Domino Administrator client by using the Administrator ID file. 

2. Select the correct domain and server. 

3. Click Configuration to go to the Configuration tab. 

4. From the menu, click Configuration > Registration > Internet Certifier. 

5. Select I want to register a new Internet certifier that uses the CA process, and 
click OK. 

6. In the Register a New Internet Certifier dialog box, click Create Certifier Name 

and fill in a common name such as MyCompany ca, and click OK. 

7. Select the server on which you want to put the certifier for the CA. 

8. You can use the default Issued Certificate List (ICL) database name or modify it. 
For example, icl\icl_MyCompany.nsf. 

9. Select one of the following options for the Encrypt Certifier ID with settings: 

• Encrypt ID with Server ID: lowest security, no password required 
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• Encrypt ID with Server ID and Require password to activate certifier 

• Encrypt ID with Locking ID and choose the person whose ID will be used to 
secure the new CA 

10. Click OK. 

The system displays a success message. 


Next steps 

Run the certificate authority task. 


Running the CA task 

Procedure 

1 . On the Configuration tab of the Domino Administrator client, perform one of the 
following actions: 

• Type load ca if the task is not running. 

• Type tell ca refresh if the CA task is running. 

2. To ensure that the new CA is ready for use, type tell adminp process all. 

3. Type tell ca stat. 

If your new CA does not show up in the list, type tell adminp process all. 

4. Type tell ca refresh. 

The system displays the new CA, if included in the list. 

5. To verify that the new CA is initialized, type tell ca stat. 

6. To activate your password when your CA is not active, type tell ca activate 
certifier number password 

7. To obtain the actual value for certifier number, type tell ca stat. 

The system lists each CAwith a number preceding it. Use this number to identify a 
tell command. 


Next steps 

Creating and setting up the certification request database 
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Creating and setting up the certification request database 


Creating and setting up the certification request database 

Procedure 

1 . On the Domino Administrator client, select File > Database > New, then select your 
server. 

2. In the Specify New Database Name and Location section of the New database 

page, enter a title for the database. For example, enter western ca database. 

3. Enter a name for the database file, for example, certreq.nsf. 

Each Internet Certifier requires a unique Certificate Requests database. If you are 
going to create additional Internet CAs in future, provide a unique title for the 
associated CAs in the Certificate Requests database. For example, you can provide 
the title Cert Req MyCompany, and a file name such as CR_myco. nsf . Keep the 
file name short so that it is easier to enter as part of a URL in a Web browser. 

4. In the Specify Template for New Database section of the New database page, 
ensure that the template server is set to server, and not to local. 

5. Select Show Advanced Templates and select the template name Certificate 
Requests (6) with the file name certreq.ntf. 

6. To create the Certificate Requests database, click OK. 

The system creates the database. 

7. Close the About... document. 

The system displays the Database Configuration form. 

• Select the administration server. 

This server runs the CA process for the supported CA. 

• Select the CA you created in the Configuring Domino SSL topic. 

• Select the intended purpose of this CA: 

- Server Certificates Only 

- Both Client and Server Certificates 

Do not select Client Certificates Only if you want to create a server key ring for 
SSL. 

8. From the Processing Method drop-down list, select one of the following processing 
methods: 

• Automatic 

• Automatic Transfer Server (optional) 
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If you select the Automatic method, the person designated as an RA must be listed 
amongst those who can select Run unrestricted methods and operations in the 
Administration Server's server document. 

RA is often the same person who creates the Certificate Requests database, that 
is, certreq. nsf. To verify this or to make changes, open the Domino Directory, 
navigate to the Server/Servers view, open the appropriate server document, and 
navigate to the Security section to see the Processing Method field. 

If you do not set the Processing Method field properly, you will not be able to run 
the agents in the Certificate Requests database. 

9. Select whether you want the applicant to receive the confirmations. 

10. Click Save & Close. 


Next steps 

Creating a key ring 


Creating a key ring 

Procedure 

1. Open the Domino administration client. 

2. On Files tab, open the Certification Requests database. 

3. Select Domino Key Ring Management >Create Key Ring. 

The system displays the Create Key Ring form. 

4. In the Key Ring File Name field, enter a file name for the key ring file without the .kyr 
extension. 

5. In the Password and Confirm Password fields, enter identical passwords. 

6. From the Key Size drop-down list, select a key size. 

7. In the Common Name field, enter the common name of the server. 

The common name of the server must be a fully qualified host name, for example, 
server.company.com. 

8. In the Organization field, enter the organization name. 

All other fields are optional. 

9. Click Create Key Ring. 

10. To automatically add your CA as a trusted root and to generate a certificate request 
for your server, in the Key Ring Created dialog box, verify the information and click 

OK. 
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Approving a key ring request 


11. In Merge Trusted Root Certificate Confirmation dialog box, verify the information 
and click OK. 

The system displays the Certificate received into key ring and designated as 
trusted root confirmation screen. 

12. Click OK. 

The system displays the Certificate Request Successfully Submitted for Key 
Ring dialog box. 

13. To dismiss the message, click OK. 


Next steps 

Approving a key ring request 


Approving a key ring request 

Procedure 

1. Open the Certificate Requests database. 

2. To refresh the view, on the Pending/Submitted Requests view, press f 9 if you do 
not find your request. 

3. If the status of the request is Submitted to Administration Process, go to step 5. 
If the status of the request is Pending Submission, select the request and click 

Submit Selected Requests. The system displays the Successfully submitted 1 
request(s) to the Administration Process message. 

4. Click OK. 

Keep the Certificate Requests database open. 

5. Open the Administration Requests database Admin4 . nsf , go to the Certification 
Authority Requests/Certificate Requests view, and find your new request. 

6. Double-click the request to open it, click Edit Request, and verify the information 
of the request. 

7. Once you have verified the information and finished making any optional changes, 
click Approve Request. 

8. Press F9 till the state of the request changes from the New state to the Issued 
state. 

The request state might change to Approved state before changing to the Issued 
state. 
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Next steps 

Checking the status of a key ring request 


Configuring a port 

Procedure 

1 . In the Server/Servers view of the Domino directory, find the server document. 

2. Open the server document and click Edit Server. 

3. In the Ports - Internet Ports section, enter the name of the new key ring file. 

Do not enter the full path of the key ring file. 

4. Scroll down the page and locate the SSL Port Status field, and change it from 

Disabled to Enabled. 

5. To enable SSL on the server, on the server console, type tell http restart if 
HTTP is running. 

6. To verify that the HTTP server is now listening on port 443, on the server console, 
type show task. 


Next steps 

Establishing a secure session over SSL by using Internet Explorer. 


Establishing a secure session over SSL using IE 

Procedure 

1. To confirm that SSL works on the server, open a browser and type https:// 
<server>.<company>.com/<CR_myco.nsf>. 

The system displays the Security Alert screen. 

2. Click View Certificate. 

3. Click Install Certificate. 

4. On the Certificate Import Wizard screen, click Next. 

5. On the Certificate Store screen, retain the default selection Automatically select 
the certificate store based on the type of certificate, and click Next. 


142 Implementing Avaya one-X® Client Enablement Services Release 6.1 SP1 February 2012 

Comments? infodev&avava.com 






Configuring the WebSphere server 


6. On the Completing the Certificate Import Wizard screen, click Finish. 

The system displays The import was successful message. 

7. Click OK. 

8. On the Security Alert screen, click Yes. 

If the system displays a secured padlock near the top of the Internet Explorer 
window, it means you have successfully established a secure session over SSL. 


Next steps 

Configuring the WebSphere server. 


Configuring the WebSphere server 

Procedure 

1. Log in to the IBM WebSphere Administrative Console by using the administrative 
credentials. 

The address for IBM WebSphere Administrative Console is https: / / 
<oneXCESMachine>:9043/ibm/console. 

2. In the Security section, select SSL certificate and key management. 

3. Navigate to Key stores and certificates >NodeDefaultTrustStore > Signer 
certificates and click Retrieve from port. 

4. In the Host, Port, and Alias fields, enter the host, port, and alias. 

The host is the IP address of the Domain Controller (DC) machine, and the port is 
the port for the LDAPS service. The default port is 636. 

5. Click Retrieve signer information. 

6. To save the configuration, click OK. 

7. To verify the connection, check whether you can connect to the LDAP server by 
using the IBM Console. This test does not use any Client Enablement Services 
code, so it is a good validation for the environment setup. 

8. On the administrative console, navigate to Security > Secure administration, 
applications, and infrastructure. 

If your system is already set up to communicate with a single LDAP environment, 

the Available realm definitions option must be already set to Standalone LDAP 
registry. 

9. Click Configure and configure the LDAP parameters. 

Do not save any information now. 
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10. If you configure the system to communicate with LDAP, change the port to 636, and 
select the SSL Enabled check box in the SSL Settings section. 

11. Click Test connection. 


Next steps 

Configuring Client Enablement Services for LDAPS 


Configuring Avaya one-X® Client Enablement Services for 
LDAPS 

Procedure 

1. Log in to the Client Enablement Services administration client. 

2. Click the System tab. 

The system displays the System tab. 

3. Click Enterprise Directory. 

4. Select the domain for which you must set the LDAPS configuration. 

5. Change the port value to 63 6. 

6. Select Secure Port. 

7. To save the configuration, click Save. 

8. Restart Client Enablement Services. 
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